chore: add pypi sha256 support

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/slsa_analyzer/analyzer.py

@@ -1065,6 +1065,10 @@ def get_artifact_hash(
             if not pypi_asset.download(""):
                 return None
 
+            artifact_hash = pypi_asset.get_sha256()
+            if artifact_hash:
+                return artifact_hash
+
             source_url = pypi_asset.get_sourcecode_url("bdist_wheel")
             if not source_url:
                 return None

src/macaron/slsa_analyzer/package_registry/pypi_registry.py

@@ -543,6 +543,26 @@ def get_sourcecode(self) -> dict[str, str] | None:
             return source_code
         return None
 
+    def get_sha256(self) -> str | None:
+        """Get the sha256 hash of the artifact from its payload.
+
+        Returns
+        -------
+        str | None
+            The sha256 hash of the artifact, or None if not found.
+        """
+        if not self.package_json and not self.download(""):
+            return None
+
+        if not self.component_version:
+            artifact_hash = json_extract(self.package_json, ["urls", 0, "digests", "sha256"], str)
+        else:
+            artifact_hash = json_extract(
+                self.package_json, ["releases", self.component_version, "digests", "sha256"], str
+            )
+        logger.debug("Found sha256 hash: %s", artifact_hash)
+        return artifact_hash
+
 
 def find_or_create_pypi_asset(
     asset_name: str, asset_version: str | None, pypi_registry_info: PackageRegistryInfo