fix(deps): content of wasm_hash_url can have extra fields than the hash

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 # UNRELEASED
 
+### fix(deps): content of wasm_hash_url can have extra fields than the hash
+
+It is natural to point `wasm_hash_url` to the `<FILE>.sha256` file generated by `shasum` or `sha256sum` which consists of the hash and the file name.
+
+Now when `dfx deps pull`, such content will be accept properly.
+
 # 0.16.1
 
 ### feat: query stats support

docs/concepts/pull-dependencies.md

@@ -57,6 +57,10 @@ In other cases, the wasm module at `wasm_url` is not the same as the on-chain wa
 
 A URL to get the SHA256 hash of the wasm module located at `wasm_url`.
 
+The content of this URL can be the SHA256 hash only.
+
+It can also be the output of `shasum` or `sha256sum` which contains the hash and the file name.
+
 This field is optional.
 
 Aside from specifying SHA256 hash of the wasm module directly using `wasm_hash`, providers can also specify the hash with this URL. If both are defined, the `wasm_hash_url` field will be ignored.

e2e/tests-dfx/deps.bash

@@ -228,7 +228,7 @@ Failed to download from url: http://example.com/c.wasm."
   CUSTOM_HASH_A="$(sha256sum .dfx/local/canisters/a/a.wasm | cut -d " " -f 1)"
   jq '.canisters.a.pullable.wasm_hash="'"$CUSTOM_HASH_A"'"' dfx.json | sponge dfx.json
   # B: set dfx:wasm_hash_url
-  echo -n "$(sha256sum .dfx/local/canisters/b/b.wasm.gz | cut -d " " -f 1)" > ../www/b.wasm.gz.sha256
+  echo -n "$(sha256sum .dfx/local/canisters/b/b.wasm.gz)" > ../www/b.wasm.gz.sha256
   jq '.canisters.b.pullable.wasm_hash_url="'"http://localhost:$E2E_WEB_SERVER_PORT/b.wasm.gz.sha256"'"' dfx.json | sponge dfx.json
   # C: set both dfx:wasm_hash and dfx:wasm_hash_url. This should be avoided by providers.
   CUSTOM_HASH_C="$(sha256sum .dfx/local/canisters/c/c.wasm | cut -d " " -f 1)"

src/dfx/src/commands/deps/pull.rs

@@ -305,9 +305,15 @@ async fn get_hash_on_chain(
         let wasm_hash_content = download_file(&wasm_hash_url)
             .await
             .with_context(|| format!("Failed to download wasm_hash from {wasm_hash_url}."))?;
-        let wasm_hash_encoded = String::from_utf8(wasm_hash_content)
+        let wasm_hash_str = String::from_utf8(wasm_hash_content)
             .with_context(|| format!("Content from {wasm_hash_url} is not valid text."))?;
-        Ok(hex::decode(&wasm_hash_encoded)
+        // The content might contain the file name (usually from tools like shasum or sha256sum).
+        // We only need the hash part.
+        let wasm_hash_encoded = wasm_hash_str
+            .split_whitespace()
+            .next()
+            .with_context(|| format!("Content from {wasm_hash_url} is empty."))?;
+        Ok(hex::decode(wasm_hash_encoded)
             .with_context(|| format!("Failed to decode {wasm_hash_encoded} as sha256 hash."))?)
     } else {
         match read_state_tree_canister_module_hash(agent, canister_id).await? {