Publish Checksums

[dbrgn]

In many Java projects, I'm using gradle witness to keep a list of checksums of all dependencies. This makes sure that when building a project on a different machine, I can be sure to get the exact same version of the dependencies.

It would be nice if you could publish SHA256 sums of the released versions files somewhere. It's as simple as executing sha256sum build/libs/msgpack-java.jar (or whereever your build process puts the JAR file) before publishing and adding the checksum to the README file. Example: https://github.com/saltyrtc/chunked-dc-java#signatures

It's not a perfect solution, but it can protect against a release being accidentally or intentionally corrupted or against MITM between the user and maven central / jcenter. See this old post on what can happen if TLS is turned off or broken.

[xerial]

So does it mean having sha1 on Maven central is not enough to protect MITM? If so, having sha256 of the jar file on README.md is good enough for your use case?

[dbrgn]

I'm using jcenter (bintray) instead of maven central, so I wasn't aware of published SHA1 sums, but in both cases I have to "trust-on-first-use". If the upload were manipulated, the checksum on the same website would be too. By publishing the SHA256 sum (this is what gradle witness uses) in the README, you add a second channel separate from the maven central / jcenter website that can be used for independent verification :)

Of course GPG would be even better, but it's more effort. Checksums are easy and require no handling of private keys (besides the SSH key to push to Github).