Checksums and GPG Signing for Release Artifacts #126
Assignees
Labels
documentation
Improvements or additions to documentation
enhancement
New feature or request
github_actions
Pull requests that update GitHub Actions code
Comments
ebb-earl-co
added
documentation
|
Checksums seem to be not a big problem: I just added a one-line Python "program" from shell invocation: python3 -c "from hashlib import sha256;from pathlib import Path;Path('tidal-wave_macos_amd64.sha256').write_text(f'''{sha256(Path('./dist/tidal-wave_macos_amd64').read_bytes()).hexdigest()}\ttidal-wave_macos_amd64''')" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue 1: Cryptographically Signing Release Artifacts
It seems to be rather poor practice offering release artifacts, and, in 2024, not to sign them!
Options To Solve the Issue
ageminisignConsideration
I already use
GnuPGto sign all of my commits, so it would be natural to use that same signing key for this project's release artifacts...Issue 2: Providing Checksums of Release Artifacts
There must be a GitHub action that automatically creates checksums of artifacts! (The most popular one only has 8 stars!?)
Options to Solve the Issue
At the very least
BLAKE3is the future (?)Consideration
How difficult would it be to roll my own GitHub actions workflow that checksums and signs release artifacts, then adds new release artifacts containing the signatures of the binaries as well as a CHECKSUMS text file?
The text was updated successfully, but these errors were encountered: