codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

are there checksums (for releases) ?

Open ilia-shipitsin opened this issue 2 years ago • 4 comments

Hello,

github runner images team here. we are looking for securing supply chains when adding software to CI images.

are there checksum available ? or maybe some recommended validation approach.

thanks!

ilia-shipitsin avatar Sep 14 '23 10:09 ilia-shipitsin

Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?

smowton avatar Sep 15 '23 11:09 smowton

we download codeql bundles using https://github.com/actions/runner-images/blob/main/images/win/scripts/Installers/Install-CodeQLBundle.ps1

files like "https://github.com/github/codeql-action/releases/download/$($Bundle.TagName)/codeql-bundle.tar.gz"

ilia-shipitsin avatar Sep 15 '23 12:09 ilia-shipitsin

@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?

  • a single checksums file containing checksums and filenames for each of the 4 files, on separate lines (this is what the gh CLI does for example)
  • one checksum file for each artifact

adityasharad avatar Sep 22 '23 22:09 adityasharad

The standard unix model is one signature per file, since it enables wget $url{,.sig}.

jsoref avatar Feb 13 '24 21:02 jsoref