From a62e6211cb81c68c57a180c5702ffe1dee406d82 Mon Sep 17 00:00:00 2001
From: Taiki Endo <te316e89@gmail.com>
Date: Wed, 17 Dec 2025 20:19:06 +0900
Subject: [PATCH] codegen: Use ring instead of sha2

```
    Updating crates.io index
     Locking 0 packages to latest compatible versions
    Removing block-buffer v0.10.4
    Removing cpufeatures v0.2.17
    Removing crypto-common v0.1.7
    Removing digest v0.10.7
    Removing generic-array v0.14.7
    Removing sha2 v0.10.9
    Removing typenum v1.19.0
    Removing version_check v0.9.5
```
---
 tools/codegen/Cargo.toml  | 2 +-
 tools/codegen/src/main.rs | 9 ++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/tools/codegen/Cargo.toml b/tools/codegen/Cargo.toml
index ce992f90..9ee45aca 100644
--- a/tools/codegen/Cargo.toml
+++ b/tools/codegen/Cargo.toml
@@ -9,11 +9,11 @@ anyhow = "1"
 flate2 = "1"
 fs-err = "3"
 minisign-verify = "0.2"
+ring = "0.17"
 semver = { version = "1", features = ["serde"] }
 serde = "1"
 serde_derive = "1"
 serde_json = "1"
-sha2 = "0.10"
 spdx = "0.13"
 tar = "0.4"
 toml = { version = "0.9", default-features = false, features = ["parse", "serde"] }
diff --git a/tools/codegen/src/main.rs b/tools/codegen/src/main.rs
index ca3c3c5b..b7cc38d5 100644
--- a/tools/codegen/src/main.rs
+++ b/tools/codegen/src/main.rs
@@ -17,7 +17,6 @@ use install_action_internal_codegen::{
     BaseManifest, HostPlatform, Manifest, ManifestDownloadInfo, ManifestRef, ManifestTemplate,
     ManifestTemplateDownloadInfo, Manifests, Signing, SigningKind, Version, workspace_root,
 };
-use sha2::{Digest as _, Sha256};
 use spdx::expression::{ExprNode, ExpressionReq, Operator};
 
 fn main() -> Result<()> {
@@ -343,8 +342,8 @@ fn main() -> Result<()> {
             }
 
             eprintln!("getting sha256 hash for {url}");
-            let hash = Sha256::digest(&buf);
-            let hash = format!("{hash:x}");
+            let hash = ring::digest::digest(&ring::digest::SHA256, &buf);
+            let hash = format!("{hash:?}").strip_prefix("SHA256:").unwrap().to_owned();
             if let Some(digest) = digest {
                 if hash != digest.strip_prefix("sha256:").unwrap() {
                     bail!(
@@ -386,8 +385,8 @@ fn main() -> Result<()> {
                         eprintln!("already downloaded");
                     } else {
                         download(&url)?.into_reader().read_to_end(&mut buf2)?;
-                        let hash = Sha256::digest(&buf2);
-                        if format!("{hash:x}") != v.checksum {
+                        let hash = ring::digest::digest(&ring::digest::SHA256, &buf2);
+                        if format!("{hash:?}").strip_prefix("SHA256:").unwrap() != v.checksum {
                             bail!("checksum mismatch for {url}");
                         }
                         let decoder = flate2::read::GzDecoder::new(&*buf2);