NodeJS checksum not being verified after downloading via the npm plugin

[alnvdl-work]

Bug Description

Problem 1 (solved; see below)
The npm plugin installs NodeJS during the build step:

craft-parts/craft_parts/plugins/npm_plugin.py

Lines 179 to 197 in 2b16c15

	if options.npm_include_node:
	arch = self._get_architecture()
	version = options.npm_node_version
	node_uri = (
	f"https://nodejs.org/dist/v{version}"
	f"/node-v{version}-linux-{arch}.tar.gz"
	)
	command.append(
	dedent(
	f"""\
	if [ ! -f "${{CRAFT_PART_INSTALL}}/bin/node" ]; then
	curl -s "{node_uri}" |
	tar xzf - -C "${{CRAFT_PART_INSTALL}}/" \
	--no-same-owner --strip-components=1
	fi
	"""
	)
	)

When building a ROCK, if we use override-build to customize the invocation of npm install as needed by our application, we don't get NodeJS installed. So we have to either download and install NodeJS ourselves, or resort to hacks like building the application during the stage step.

For building this ROCK, we found a nice workaround using overlay-script, which is good enough for us for now to install NodeJS independently:

The overlay step provides the means to modify the base filesystem before the build step is applied
See: https://canonical-rockcraft.readthedocs-hosted.com/en/latest/explanation/overlay-step/

---

Problem 2
Somewhat related to this: the download of NodeJS should also ideally have its checksum verified to mitigate the impacts of any supply-chain-attacks and eliminate the problem of corrupted downloads, maybe doing something similar to what Docker does:
https://github.com/nodejs/docker-node/blob/1fc16c3d1ea2be71fba69115f59d0e8f99876692/18/buster/Dockerfile

To Reproduce

Try to try to build any application whose npm install process needs to be customized to be different from the default dictated by the part.

part yaml

No response

Relevant log output

-

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/CRAFT-2852.

This message was autogenerated

[tigarmo]

if we use override-build to customize the invocation of npm install as needed by our application

Can you talk about this customization in your specific case? One way to bypass this issue altogether would be to improve the plugin so that it does what you need it to do without having to override steps.

[alnvdl-work]

Talked with @tigarmo in PMs. I did not know about craftctl default (https://snapcraft.io/docs/using-craftctl). That solved the problem for me, quite elegantly.

However, I believe the second part of this issue (downloading NodeJS without running a checksum) still persists. So I renamed it, and I will leave this open.

[cmatsuoka]

Fixed by PR #719