boostorg
Feature request: SHA256 for GitHub release downloads
I'm using CMake's FetchContent to download the latest Boost release as part of my project's CMake build process. It's possible to pass an SHA256 hash to FetchContent so that it can verify the integrity of the download.
However, if I look at the assets listed in the Boost GitHub release page, there aren't any files there containing meta-information like SHA256 hashes.
I tried using the SHA256 hash available here at jfrog.io. CMake complains of SHA256 mismatch when I try using that hash:
verifying file...
[cmake] file='/home/build/_deps/fetchboost-subbuild/fetchboost-populate-prefix/src/boost-1.84.0.tar.gz'
[cmake] -- SHA256 hash of
[cmake] /home/build/_deps/fetchboost-subbuild/fetchboost-populate-prefix/src/boost-1.84.0.tar.gz
[cmake] does not match expected value
[cmake] expected: 'a5800f405508f5df8114558ca9855d2640a2de8f0445f051fa1c7c3383045724'
[cmake] actual: '4d27e9efed0f6f152dc28db6430b9d3dfb40c0345da7342eaa5a987dde57bd95'
Of course, now I know that the hash is supposed to be 4d27e9efed0f6f152dc28db6430b9d3dfb40c0345da7342eaa5a987dde57bd95, but it would be better if that were published somewhere in an official manner.
To clarify, it's the GitHub release downloads that lack a published SHA256.
SHA256 checksums for the official archives are published in release notes.
I don't remember exactly, but I think that SHA256 only works with the jfrog download link, and not the GitHub release tarball.
The checksums in the release notes only cover the archives on jfrog. The archives on GitHub are different and there are no published checksums for those.
The archives on GitHub are different and there are no published checksums for those.
That's why I raised this issue. I should have made that clearer in my description.