bun Providing signed binaries

What is the problem this feature would solve?

It would be nice to have signed bun releases.

What is the feature you are proposing to solve the problem?

I think copying what node does is a good option here, since it's very easy to implement and non-disruptive to existing workflows that don't want to verify releases. It has the added benefit that it would make it so you could take existing Dockerfile/etc. boilerplate and slot in bun to have it work exactly the same way (facilitating the creation of things like bun-slim docker containers to match node-slim containers, etc.).

The signing procedure is very straightforward:

You have the existing binary download URL unchanged. E.g., https://github.com/oven-sh/bun/releases/download/0.1.4/bun-linux-x64.zip
You have a new file that lives alongside these releases, called SHASUMS256.txt.csc. This is a clearsigned, which means it is not encrypted or compressed, it is a totally human readable text file that contains a signature at the end. This main contents of this file is just a flat list of checksums for each platform release. You can see one from node here: https://nodejs.org/dist/v0.10.48/SHASUMS256.txt.asc

Now, installation works the same as it did before if you don't care about signatures, since the binary is released in the same exact way and is found at the same location. However, if you want to verify that the binary is correct, You can download the SHASUMS256.txt file, and run gpg --batch --decrypt --output SHASUMS.txt SHASUMS256.txt.asc. Once the signature checks out on the a file, you can safely compare the checksum in that file with the checksum of the bun binary.

What alternatives have you considered?

There are plenty of more complicated schemes, where you change the binary itself, but this is by far the simplest approach I've seen, and works really well.