Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checksums and/or signature to verify trustworthyness #55

Open
marcofranssen opened this issue Jul 26, 2022 · 3 comments
Open

Add checksums and/or signature to verify trustworthyness #55

marcofranssen opened this issue Jul 26, 2022 · 3 comments

Comments

@marcofranssen
Copy link
Contributor

It would be great if future releases would include at a minimum some checksums so I can compare the release against the checksum to verify I downloaded the binary I thought to be downloading.

Another step would be to also add signatures.

See https://github.com/philips-labs/slsa-provenance-action/releases for a project that applies these things on the released assets.

See the github actions workflow on how the checksums and signatures are added.
@iann0036
Copy link
Owner

Hey @marcofranssen,

Just wanted to note that this is on my radar, but I have a few other things in front of it. Will hopefully get to it soon.

In the meantime, if you're concerned over build security, feel free to pull and build yourself, or even fork.

@marcofranssen
Copy link
Contributor Author

Helped out a bit with this PR.

#56

@iann0036
Copy link
Owner

Hey @marcofranssen,

Thanks heaps for that! I've cut a new release with the new checksums file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcofranssen @iann0036