nuclear icon indicating copy to clipboard operation
nuclear copied to clipboard

Published 20 hours ago verified publisher icon nukeop

Please add hashsums for the downloads so that their integrity can be verified (or sign them)

Open mYnDstrEAm opened this issue 4 years ago • 5 comments

Platform: all

Nuclear version: v0.6.16

Description of the issue: Please add hashsums to the releases.

This would only take a minute or so and is one of the most basic, necessary and easiest steps one can take to ensure integrity of software.

It would be best to sign the hashed downloads with GPG as well as getting Nuclear onto official (e.g. Debian) repositories but adding hashsums would be good enough. Some more info here.

Note that the hashsum only verifies the integrity of the built binary, not that the built binary matches the public source code of this repository. The next step would be for the package to be reproducible so that when other people build the binary it has the same hashsum.

It is so simple to solve that this short info obtained via sha512sum ./nuclear-v0.6.16.deb almost closes the issue: 39f4b0f2e9efcd5294e694e4efe03f9dd764692cf637cfe6ff41298a51fec0531f98e27d219c70e3e88f692df09db587c8ec54ca46c7ff387828cb1deb3af768 for Linux : nuclear-v0.6.16.deb of the releases.

-- Edit: sha512sum ./nuclear-v0.6.17.deb is 7c9d12d81489baac98a52d96f7ba782098838c00d4889eba6bad257a6191090f9f04339ba3d86ece30c95b4306e3f6817a395aef5e2ee7ee15e807f45f8e8b80.

mYnDstrEAm avatar Oct 02 '21 10:10 mYnDstrEAm

Now you added hashsums of the AppImage, but not the .deb files. For sha512sum ./nuclear-eac584.deb is c314e0fa7ec9bfa80cdbcc48a33d45159d7acf494b2d30cb262aaf363bc2ef0358cac2b3db80d897baf9fdd38315a927e19aa1db2074f8e365e27cd92881b7b2. Could you also add the hashsums for the deb file (or get this into a Debian repo)?

mYnDstrEAm avatar May 08 '22 12:05 mYnDstrEAm

sha512sum ./nuclear-3f9007.deb is c04849d6d73ff7c5937e15311f94ffbd1888a27068db2e84864dce636a7ff3eac786b6781fb63889b403abf87946793adfde4bc45bf131bd09608f967b09f0d8 (this would go into the release assets somehow)

mYnDstrEAm avatar Aug 30 '22 11:08 mYnDstrEAm

MD5s of .deb releases are available through AUR. Not sure how to add them to binaries directly.

nukeop avatar Aug 30 '22 20:08 nukeop

You mean this page? I don't see a hashsum there.

They would just need to be in a text file that's in the releases. Many other repos have these too. It's just some short text. The MD5sum for nuclear-v0.6.30.deb is ac63c4f58cb2a93dce5d9e626a6a7e01 sha256 52038af143c8eb0e6fc669fae90a6df25a53370c742277ac8c8ba0bf0b175368.

mYnDstrEAm avatar Jan 12 '24 20:01 mYnDstrEAm

https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nuclear-player-bin

There's the SHA-256 checksum here. I guess we could generate a text file at build time with MD5, etc.

nukeop avatar Jan 12 '24 20:01 nukeop