Slug Checksums
Last updated March 09, 2022
Checksum verification is currently only supported by apps in Private Spaces.
To protect the integrity of slugs on the Heroku Platform, slug metadata includes a checksum. The checksum is automatically calculated and set for slugs when deploying with Git; however, the checksum can also be manually set when creating slugs via the Platform API. When releasing a slug with a checksum, the checksum is verified before the dyno is launched. If the verification fails, an R17 error will occur and the dyno will be blocked from starting.
Supported algorithms
Currently, only the SHA256 algorithm is supported.
Computing and setting a checksum
The checksum is automatically calculated and set for slugs when deploying with Git. When creating a slug directly with the Platform API, the checksum can be computed and manually set for the slug. After creating the compressed slug file, use a tool such as shasum to compute the checksum:
$ shasum --algorithm 256 slug.tgz
f34f97e65fd1f78cdab0a8c8552bd82c67441a08303e4b479f8824e5a8ec9b13 slug.tgz
The Heroku checksum format is <ALGORITHM> ":" <VALUE>. For example, the checksum computed above should be formatted as SHA256:f34f97e65fd1f78cdab0a8c8552bd82c67441a08303e4b479f8824e5a8ec9b13.
The checksum is then included in the request to create the slug:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/vnd.heroku+json; version=3' \
-d '{"process_types":{"web":"bin/web"}, "checksum":"SHA256:f34f97e65fd1f78cdab0a8c8552bd82c67441a08303e4b479f8824e5a8ec9b13"}' \
-n https://api.heroku.com/apps/example/slugs
Reading a checksum
The read the checksum of an existing slug via Platform API:
$ curl -X GET \
-H 'Accept: application/vnd.heroku+json; version=3' \
-n https://api.heroku.com/apps/example/slugs/$SLUG_ID
{
...
"checksum":"SHA256:f34f97e65fd1f78cdab0a8c8552bd82c67441a08303e4b479f8824e5a8ec9b13",
...
}
