-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add .sha256sum checksums to binary distribution tarballs #3605
Conversation
I've never used any of these tools, could you link some documentation that points to this being used? |
Here you go:
Note that to generate a full archive of all the releases, you have to download N*M files, N releases over M platforms, each of which weighs however many MB. It's more tolerable for wasm-bindgen than most, seeing as each weighs only a few MB. |
I don't these contain what I was looking for. Specifically I was trying to find some standard how to deploy these hashes in the first place. Your PR suggests to deploy them as part of the release artifacts. Is that documented somewhere? Does a tool actually make use of this path, e.g. just adding |
No, but you have baited me into writing apparently the first such document anywhere on the internet. (As for tools that generate a manifest from a GH Release by fetching checksums, I am writing one at the moment. The actual scripting looks more like GET https://api.github.com/repos/WebAssembly/binaryen/releases/tags/version_115, if There is no documented standard for how to store checksums, nor any tooling that assumes it that I can see. It would be silly to attempt one without trying to make it comprehensive and solving other goals, so it's either "a bunch of tarballs with ad hoc checksums on GH releases" or "deploy a bulletproof, CNCF-supported standard called TUF" or "TUF but for cars". Just checksums are obviously fine when you only care about integrity checking in transit and what amounts to perfect caching in build tools. But moreover, whatever checksum file location you choose is also fine. As long as there's a hash there somewhere other than freeform markdown, it can be automated in a few lines of any scripting language, so it doesn't really matter that much. If you want details, let's compare the two main options, neither of which has any kind of standardisation for the filenames. I have listed the ability to parse with Python as a factor. 1.
|
Co-authored-by: daxpedda <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, thanks for going through all the effort!
Hiya. This adds a
*.tar.gz.sha256
file alongside each tarball pushed to GitHub Releases. Having a hash available does not magically add much in terms of supply chain security, it just enables tools like Bazel and Buck to pull binaries and ensure they're the same one as last time. The concrete need is to generate a JSON manifest of a GitHub release including sha256 hashes, without actually downloading the tarballs and hashing them at generation time. I have not tested the pipeline, but note that:*
at the end of the glob will match those .sha256 suffixes as well as the tarballs, against the glob package in use.npm i -g glob; sha256sum CHANGELOG.md > CHANGELOG.md.sha256; glob '*.md*'
So I think that will work. This is not a blocker because scripts for generating manifests can always fall back on downloading the tarballs to /tmp and hashing them there. So no need to push a release just for this.