fix(extensions): reject a declared-but-empty sha256 instead of skipping verification

verify_archive_sha256 skipped on any falsy expected value, so a present-but-empty digest (e.g. sha256: "" reached via ...get("sha256")) silently disabled the integrity check instead of surfacing the authoring error. Guard on expected is None so only an absent digest skips; blank/whitespace/bare-prefix values fall through to the 64-hex validation and are rejected. Adds a regression test.

Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>

Author: zied-jlassi

src/specify_cli/shared_infra.py

@@ -45,7 +45,11 @@ def verify_archive_sha256(
         error_cls: If ``expected`` is provided and is not a well-formed
             SHA-256 hex digest, or does not match ``data``.
     """
-    if not expected:
+    # Skip only when no digest is declared at all (``None``). A declared but
+    # empty/blank value (e.g. ``sha256: ""``) is an authoring error, not an
+    # opt-out: let it fall through to the format check below so it is rejected
+    # rather than silently disabling verification.
+    if expected is None:
         logger.debug(
             "No sha256 declared for %r; archive integrity was not verified.",
             name,

tests/test_shared_infra_integrity.py

@@ -85,3 +85,17 @@ def test_absent_digest_skips_and_logs_debug(caplog):
         "not verified" in r.getMessage() and "thing" in r.getMessage()
         for r in caplog.records
     )
+
+
+def test_blank_declared_digest_is_rejected():
+    """A present-but-empty ``sha256`` is an authoring error, not an opt-out.
+
+    Catalog entries reach the helper via ``...get("sha256")``; a blank value
+    (``""``, whitespace, or a bare ``sha256:`` prefix) means the digest was
+    declared but left empty. It must surface as a malformed digest rather than
+    silently disabling the integrity check, which a bare ``if not expected``
+    guard would have done.
+    """
+    for blank in ("", "   ", "sha256:"):
+        with pytest.raises(_BoomError, match="[Ii]nvalid sha256"):
+            verify_archive_sha256(b"data", blank, "thing", _BoomError)