Skip to content

Calculate checksums for the binary artifacts #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 27, 2025
Merged

Calculate checksums for the binary artifacts #395

merged 2 commits into from
May 27, 2025

Conversation

kpumuk
Copy link
Contributor

@kpumuk kpumuk commented Apr 23, 2025
edited
Loading

This pull request adds checksums.txt file with SHA256 checksums of all binary archives to be published on GitHub Releases page. This allows users of the tool to verify the checksum unarchiving and installing the binary, preventing some of the supply chain attacks.

The GitHub release will look like this:

CleanShot 2025-04-23 at 17 58 18@2x

An example of the checksums.txt file:

c18cf49e7dd26f888f6f7f7b4f708d81eb19b098a6b26a24b227f1f871f424ec  rbspy-aarch64-unknown-linux-gnu.tar.gz
d06bd08bd20da2b30c8bc3bf24c60d6707f2f085b9c1724c336c9bf75c04463b  rbspy-aarch64-unknown-linux-musl.tar.gz
bec897233bfc4b4d8ea17ad9dc07b4527313fb3312103dab0813781323b3d1cb  rbspy-x86_64-apple-darwin.tar.gz
bc14f30b5ae97a36b6c4f5a4b8cd86270256ec2bb7b47b18cef4b5768d86431c  rbspy-x86_64-pc-windows-msvc.exe.zip
0e706ca985c4ed51b4833cb1ebc026e27f3ec01eb4f0cf5200b4018737e3f501  rbspy-x86_64-unknown-freebsd.tar.gz
b94b3882602cbf6bee81a143df5f2e8c7100717ed0bb0975ec1566e4c2775b72  rbspy-x86_64-unknown-linux-gnu.tar.gz
5fff7555ff575c1d3c4cca4f171f564f59f725fdcc170929ff37505874da3974  rbspy-x86_64-unknown-linux-musl.tar.gz

Execution log for the action:

CleanShot 2025-04-23 at 18 01 04@2x

@acj
Copy link
Member

acj commented May 22, 2025

Hey, thanks for this, and sorry for the delay. Adding checksums is a good idea. My preference would be to add one for each individual file instead of bundling them. For example:

rbspy-aarch64-unknown-linux-gnu.tar.gz
rbspy-aarch64-unknown-linux-gnu.tar.gz.sha256
...

Then the relevant checksum file can be fetched directly without any parsing. WDYT?

@kpumuk
Copy link
Contributor Author

kpumuk commented May 26, 2025
edited
Loading

Don't have a strong preference. On one hand, having a single checksums file allows a GPG signing so that it can be verified. On the other, as you mentioned, per-file checksums are easier to work with. I have updated the MR to generate a hash-only .sha256 files.

Example:

CleanShot 2025-05-26 at 17 43 13@2x

@kpumuk
Copy link
Contributor Author

kpumuk commented May 26, 2025

Full example performed on a copy of this repository (which I will delete after this PR is handled):

https://github.com/kpumuk/rbspy-copy/releases/tag/untagged-7d51aeafdfb1bffeca5d

acj
acj approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@acj acj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@acj acj merged commit d05e56d into rbspy:main May 27, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acj acj acj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kpumuk @acj