Adding checksum to release artifacts #24
Comments
|
Hmm, I can't seem to find it on the releases page you linked to; but I am on mobile now, maybe it hides something? Can you please give me a direct link to the file, or describe in words where can I find it? Then, another thing is that it's not really clear what checksums would add over https? If somebody compromises my account to change the files, they can too change the checksums, no? I'm really curious about scenarios where the file could add some value, can you give me some examples? On an unrelated note: based on your avatar image, are you a plan9 person? If yes, did you maybe try building and running up on plan9? I'm curious if it works and I could be publishing the binaries for this platform too with a reasonable peace of mind...? |
|
Sorry the link didnt work for you, I was specifically calling out the latest Fabio release: https://github.com/fabiolb/fabio/releases/tag/v1.5.10 They include the following checksum and sig files in their release: https://github.com/fabiolb/fabio/releases/download/v1.5.10/fabio-1.5.10-go1.11.1.sha256 https://github.com/fabiolb/fabio/releases/download/v1.5.10/fabio-1.5.10-go1.11.1.sha256.sig Assuming the checksum and other artifacts are legitimate, its nice to have a checksum to validate that all artifacts match a given release. But I agree that if the account gets compromised then just the checksums wont be much good for authenticity. You can additionally sign the checksum file with GPG so users can validate the authenticity of the checksum out of band. An example of this is Hashicorp's go tooling. Their process is laid out here and includes a good example: https://www.hashicorp.com/security.html Unfortunately Im not a |
Would it be possible to add a
checksum.txtfor release artifacts going forward? Its nice to be able to verify the builds for extra piece of mind. An example would be something likefabio: https://github.com/fabiolb/fabio/releasesThe text was updated successfully, but these errors were encountered: