From 81961d74d7a6d04ea21fad3dc89d56103e915d07 Mon Sep 17 00:00:00 2001
From: Daco Harkes <dacoharkes@google.com>
Date: Mon, 6 Jan 2025 10:40:30 +0100
Subject: [PATCH] add note about integrity

---
 .../build/download_asset/lib/src/hook_helpers/download.dart   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/native_assets_cli/example/build/download_asset/lib/src/hook_helpers/download.dart b/pkgs/native_assets_cli/example/build/download_asset/lib/src/hook_helpers/download.dart
index 12bb92129..1a7bb4cae 100644
--- a/pkgs/native_assets_cli/example/build/download_asset/lib/src/hook_helpers/download.dart
+++ b/pkgs/native_assets_cli/example/build/download_asset/lib/src/hook_helpers/download.dart
@@ -37,6 +37,10 @@ Future<File> downloadAsset(
 }
 
 Future<String> hashAsset(File assetFile) async {
+  // TODO(dcharkes): Should this be a strong hash to not only check for download
+  // integrity but also safeguard against tampering? This would protected
+  // against the case where the binary hoster is compromised but pub is not
+  // compromised.
   final fileHash = md5.convert(await assetFile.readAsBytes()).toString();
   return fileHash;
 }