Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please consider publishing a checksum for verifying precompiled binaries #449

Closed
jakehamtexas opened this issue Sep 4, 2024 · 5 comments
Closed

Please consider publishing a checksum for verifying precompiled binaries #449

jakehamtexas opened this issue Sep 4, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@jakehamtexas
Copy link

It would be wonderful if the releases page for the precompiled binaries also included a section with a hash for verifying the authenticity of the binary, in order to mitigate supply chain attacks.

See https://github.com/GoogleCloudPlatform/cloud-sql-proxy/releases/tag/v2.13.0 for an example
@jakehamtexas
Copy link
Author

I looked through the .github/workflows directory to see if there's an automation for the release in GitHub, but I was unable to locate one. If there's a way to help with this change in the repository, I'd be happy to investigate the improvement myself.

@rhysd rhysd added the enhancement New feature or request label Sep 23, 2024
@rhysd
Copy link
Owner

rhysd commented Sep 23, 2024

This repository uses GoReleaser and I guess GoReleaser has the capability to generate checksums.

@rhysd rhysd closed this as completed in 987484b Sep 25, 2024
@rhysd
Copy link
Owner

rhysd commented Sep 25, 2024

Checksums will be included from the next release. Here is an example of the checksums file:

0901bb50c250a070471faf77f79465ea52dcecbd300cb3df13866afe92d52765  actionlint_1.7.2_darwin_amd64.tar.gz
9f35247df5a07f5f05af97fab4b46f001392018cced74cdfcbf7ad31bd89547b  actionlint_1.7.2_darwin_arm64.tar.gz
4c6f1ef4f916e204b9a6314a3167fcabdfd1fd77430a0c6f036260ca1605c577  actionlint_1.7.2_freebsd_386.tar.gz
1926b75b370efb5864a5b52aaf9e011901bca77ff81991b711f2b39c628d0386  actionlint_1.7.2_freebsd_amd64.tar.gz
04113ca44b7b79af37bb7733600738825c5fd0593fb8259459fdacdeb7587971  actionlint_1.7.2_linux_386.tar.gz
a1c267f18a3795686221f26914bca8075edae76bb4680c468aedc9992b9e8e0d  actionlint_1.7.2_linux_amd64.tar.gz
8bed380c95f269382cb57b8d0f56a007669cc5f6eb9ed032bb57f5171214e775  actionlint_1.7.2_linux_arm64.tar.gz
5c6c69fe066184c86b40c8e62a9d00d379427cae4e805920270c420e430fdf2d  actionlint_1.7.2_linux_armv6.tar.gz
091b34d58a338ab60913842aa034d2bc532d008cbe57d1197c4d53e1f6799dbf  actionlint_1.7.2_windows_386.zip
afd7cdc2d772df844c72d95197c3f46eceb334eb63440f4ddb4aa580176cb336  actionlint_1.7.2_windows_amd64.zip
b9abde4c04df0b244fda3e23f2d803446e7791ef8e5164bc198374a77a1ba59f  actionlint_1.7.2_windows_arm64.zip

@jakehamtexas
Copy link
Author

Thank you so much for your care and attention to this issue!

@rhysd
Copy link
Owner

rhysd commented Sep 29, 2024

Relase for v1.7.3 includes the checksums: https://github.com/rhysd/actionlint/releases/tag/v1.7.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhysd @jakehamtexas