Add a `hash` method for strings #15139

rruuaanng · 2025-10-18T02:51:56Z

hash constant is widely used in file verification, so
I suggest adding a hash method for strings to obtain
the hash constant of a string. For its usage example:

hash_str = 'foobar'.hash('sha1') # return a sha1 constant
# some process

bonzini · 2025-10-18T05:59:02Z

MD5 is insecure and totally should not be used. Maybe SHA1 or SHA256 but certainly not MD5.

rruuaanng · 2025-10-18T06:57:15Z

Maybe I should add a hash() that behaves in the same way as the cmake string().

rruuaanng · 2025-10-18T08:33:38Z

@bonzini I think it looks really great, please review it again :)

bonzini

Left a few comments: testcases are needed and it should be a method rather than a function.

mesonbuild/interpreter/interpreter.py

docs/yaml/elementary/str.yml

dnicolodi · 2025-10-18T12:31:25Z

docs/yaml/elementary/str.yml

+        - sha3_224
+        - sha3_256
+        - sha3_384
+        - sha3_512


The python documentation lists more algorithms that are always present.

It looks like there is no more :(

Wrong section of the docs. That section specifically uses the language "such as these", indicating it isn't complete. Elsewhere on that page, it says:

Constructors for hash algorithms that are always present in this module are sha1(), sha224(), sha256(), sha384(), sha512(), sha3_224(), sha3_256(), sha3_384(), sha3_512(), shake_128(), shake_256(), blake2b(), and blake2s(). md5() is normally available as well, though it may be missing or blocked if you are using a rare “FIPS compliant” build of Python. These correspond to algorithms_guaranteed.

Additional algorithms may also be available if your Python distribution’s hashlib was linked against a build of OpenSSL that provides others. Others are not guaranteed available on all installations and will only be accessible by name via new(). See algorithms_available.

mesonbuild/interpreter/primitives/string.py

dnicolodi · 2025-10-18T12:39:46Z

Unless I'm missing something, this implementation of hash() cannot support binary files (str in Meson is always an unicode string and anyway there is no facility to read a binary file into a str object) thus I think it is of limited use. What is the use case for adding an hash() method to the str class?

bonzini · 2025-10-18T16:14:43Z

What is the use case for adding an hash() method to the str class?

I could have used it in the past to create an opaque identifier for the version (to build a private symbol in a library for example) but it's indeed quite niche.

It would be useful to hear from the submitter though.

eli-schwartz

hash constant is widely used in file verification, so

The fs module already supports this:

fs = import('fs')

myhash = fs.hash('foo.txt', 'sha512')

I do not understand the purpose of hashing a string object.

@dnicolodi,

Unless I'm missing something, this implementation of hash() cannot support binary files (str in Meson is always an unicode string and anyway there is no facility to read a binary file into a str object) thus I think it is of limited use. What is the use case for adding an hash() method to the str class?

Yes, and the fs module (already) solves this. :)

rruuaanng · 2025-10-19T05:00:27Z

@eli-schwartz

I do not understand the purpose of hashing a string object.

Alright, it seems there was a problem with my description. Actually, I hope to replicate the string() function in CMake, which can encode a string into a specified hash, such as in the following CMake example:

string(MD5 MD5_SUM ${CMAKE_CURRENT_LIST_DIR})
if(WIN32)
  execute_process(COMMAND ${CMAKE_COMMAND}
                  -E  write_regv
                 "HKEY_CURRENT_USER\\Software\\Kitware\\CMake\\Packages\\Zephyr\;${MD5_SUM}" "${CMAKE_CURRENT_LIST_DIR}"
)
...

This is my first time using Meson. I believe I need a string function, but it seems that Meson doesn't have such a built-in feature.

And this can do many things, for example, using configure to generate a set of build-time signatures that can be read and verified by the program, without having to sign them within the program itself. This greatly reduces runtime overhead, since the operations are moved to build time.

Hash constants are widely used in signatures, so I suggest adding a hash method for strings to obtain the hash constant of a string. For its usage example: ```meson hash_str = 'foobar'.hash('sha1') # return a sha1 constant # some process

eli-schwartz · 2025-10-19T05:56:39Z

Alright, it seems there was a problem with my description. Actually, I hope to replicate the string() function in CMake, which can encode a string into a specified hash, such as in the following CMake example:
string(MD5 MD5_SUM ${CMAKE_CURRENT_LIST_DIR})
if(WIN32)
  execute_process(COMMAND ${CMAKE_COMMAND}
                  -E  write_regv
                 "HKEY_CURRENT_USER\\Software\\Kitware\\CMake\\Packages\\Zephyr\;${MD5_SUM}" "${CMAKE_CURRENT_LIST_DIR}"
)
...

This CMake example is based on the CMake documentation for registering a search directory path for find_package(). The purpose of an md5 sum here is as a form of UUID, it doesn't have to be md5. Formally speaking, the exact value is irrelevant and "has no meaning" (it is not even used for collating a search order).

I am not sure this is an entirely compelling argument in favor of supporting md5 in particular, or hashes at all. I suppose that if I were to anyways use a script to set a registry key, I'd include UUID generation (or even cheap hashing) inside that script.

Although I do agree that in this case what you're interested in using as input is indeed a string, not a file.

And this can do many things, for example, using configure to generate a set of build-time signatures that can be read and verified by the program, without having to sign them within the program itself. This greatly reduces runtime overhead, since the operations are moved to build time.

I'm not certain that I fully understand this use case. By build time signatures do you mean security codesigning? How does this relate to a string value? (I would assume you'd want to compute the hash of a compiled artifact that the program would want to load, and requires a known matching hash before agreeing to load it.)

rruuaanng · 2025-10-19T09:00:54Z

I would assume you'd want to compute the hash of a compiled artifact that the program would want to load, and requires a known matching hash before agreeing to load it.

Yes, that's one of the applications, for example, creating hash information for a set of build-time data, or generating a unique identifier for a file path. There may be many other scenarios as well, I believe it has great potential.

(Most importantly, it’s built-in and doesn’t require writing any external scripts, quite simple, I think that good :) )

rruuaanng marked this pull request as ready for review October 18, 2025 02:52

rruuaanng requested review from jpakkane and mensinda as code owners October 18, 2025 02:52

rruuaanng force-pushed the add-md5 branch from 48effbe to 1705876 Compare October 18, 2025 03:20

rruuaanng force-pushed the add-md5 branch from 1705876 to a6ff708 Compare October 18, 2025 07:27

rruuaanng changed the title ~~Add a built-in md5 function~~ Add a built-in hash function Oct 18, 2025

rruuaanng force-pushed the add-md5 branch from a6ff708 to a529449 Compare October 18, 2025 08:32

bonzini suggested changes Oct 18, 2025

View reviewed changes

mesonbuild/interpreter/interpreter.py Outdated Show resolved Hide resolved

mesonbuild/interpreter/interpreter.py Outdated Show resolved Hide resolved

rruuaanng force-pushed the add-md5 branch from a529449 to 369cf0f Compare October 18, 2025 12:17

rruuaanng changed the title ~~Add a built-in hash function~~ Add a hash method for strings Oct 18, 2025