I'm being tasked to validate the integrity of my downloads from npm by our IT/Security department. I'm a programmer and while I understand at a top level what performing a sha checksum is, I'm having trouble figuring out how to do that on my NPM packages.
I successfully performed a check on a single file download from the browser for something other than npm. NPM installs come with an "integrity" value in the "package-lock.json", but I am unsure how to use that value. For example when trying to perform this check on the D3 library which has the "integrity" value of "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==" I have been unable to recreate that value. I tried to create a tarball of the package folder using 7zip, and I even tried directly downloading the ".tgz" file from the "resolved" value "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz" which still does not yield the right checksum.
I have used both of the following commands which both give me the same result. (e0f2f9847687c17e26ed9af551aa575b6ddaa68ea97b10a075eb5d2799139800e91bfed3f46931c34334b5ffe98e807addecc20a6d2ee54685632d9a32dd0c73)
Get-FileHash -Path C:\Path\to\d3-5.16.0.tgz -Algorithm SHA512
certutil -hashfile C:\Path\to\d3-5.16.0.tgz sha512
If anyone can walk me through what I'm doing wrong or missing it would be very appreciated.
