duthils

@felixfontein can this PR be closed, now that #1391 is merged?

I just opened a PR to fix the missing packages from the checksums file: https://github.com/getsops/sops/pull/1588

I have rebased the branch

So for me, the question is: * do we want to keep `checksums.txt`, since `intoto.jsonl` includes the checksums? * If yes, do we leave it in the current state where...

Here is the alternative PR to remove `checksums.txt` and associated files: https://github.com/getsops/sops/pull/1643

I'm fine with that option as well. Since both PR are open, we only need to merge one and close the other. I have rebased the branch.

This CVE is fixed in go 1.22.5, see the [release announcement](https://groups.google.com/g/golang-announce/c/gyb7aM1C9H4). The go toolchain was updated to 1.22.5 in https://github.com/getsops/sops/pull/1589

Oh, right... For the record, the CVE issue is also fixed in 1.21.12, see the [release announcement](https://groups.google.com/g/golang-announce/c/gyb7aM1C9H4).

I can't reproduce the issue in a clean directory: ```shell $ mkdir /tmp/reproduce $ cd /tmp/reproduce $ echo '{"test": "value"}' > mysecret.json $ sops --version sops 3.9.4 (latest) $ sops...