Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Releases page is missing files' checksums #689

Open
0rzech opened this issue Jan 25, 2024 · 4 comments · May be fixed by #691
Open

Releases page is missing files' checksums #689

0rzech opened this issue Jan 25, 2024 · 4 comments · May be fixed by #691
Labels
bug Something isn't working

Comments

@0rzech
Copy link
Contributor

0rzech commented Jan 25, 2024
edited
Loading

Bazecor downloads are missing checksums. It would be great if at least SHA-256 checksums were provided as well.

I was able to print checksums to build log with

- name: Show build items
  run: |
    find out/make -type f -exec sha256sum -b {} \; | sed 's|\*.*/|*|g'

but I didn't attempt to add checksum files to releases.
@0rzech 0rzech added the bug Something isn't working label Jan 25, 2024
@alexpargon
Copy link
Contributor

I will try to add them in a meaningful way, as this is always welcome to ensure the download is good and to be trusted.

@alexpargon
Copy link
Contributor

alexpargon commented Jan 25, 2024
edited
Loading

looking for a way to implement it, I found this:

https://github.com/orgs/community/discussions/23512#discussioncomment-3240662

we indeed signed the app with certificates for Windows and MacOS, after that read I'm pressed to extend that treatment to Linux, just to be on the safe side, but most probably won't push the sha256 as it seems useless nowadays 😱

PS: it's still meaningful for validating downloads, so I will add them manually on the release description from now on.

@alexpargon alexpargon linked a pull request Jan 25, 2024 that will close this issue
feat: added checksum generation in artifacts both in release and staging #691
Open
@0rzech
Copy link
Contributor Author

0rzech commented Jan 25, 2024
edited
Loading

Indeed, checksums are for file integrity and digital signatures are for authenticity. 😉

I didn't ask for digital signatures, because many projects don't do it, probably because they consider it a hassle. MacOS requires signatures now and I guess Windows does too?

In Linux world, I often see executables with single checksums file and that checksums file being signed with GPG.

Debian has the Creating signed GitHub releases wiki page. Perhaps this could help?

PS. It's not that SHA-256 is useless, but that it should be used for verifying file integrity rather of authenticity and basically it's been always like that.

@noirbizarre
Copy link
Contributor

noirbizarre commented Jan 31, 2024
edited
Loading

I submitted #595 which is doing exactly that but it doesn't seem to be used anymore.
If you can describe your release process or point me to the workflow/script or whatever you are using to release, I can submit what is required for checksums computing.

Is there a reason not to use semantic release anymore ? If it's not used anymore, wouldn´t it be better to remove the associated workflow and the config, so people don't submit pull requests on it ?

Note: it's not just to validate download but also to package for distribution like Archlinux. Without the checksum files it means we have to manually download each release artifact to compute checksum, then update the script which will redownload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: added checksum generation in artifacts both in release and staging Dygmalab/Bazecor
3 participants
@noirbizarre @0rzech @alexpargon