bat icon indicating copy to clipboard operation
bat copied to clipboard
verified publisher icon sharkdp

Add checksums to the build artifacts

Open SamMorrowDrums opened this issue 4 years ago • 2 comments

Hi, thanks for making this tool - it is awesome. Would it be possible to add checksums to future tagged releases?

I'm in the process of locking down more of my install scripts in Dockerfiles to verify the sha256sum of every deb I manually install, and I believe bat currently doesn't provide a checksums.txt or equivalent so users can verify that the version of the build they download has not been tampered with since release.

I appreciate it's unlikely to be a risk in practice, but it would really be appreciated. I could potentially work on this if you'd like too - I'm just flagging it up while I have noticed.

SamMorrowDrums avatar Sep 29 '21 09:09 SamMorrowDrums

No objections from me :) I believe our artifacts are built from CI, so presumably we just need another step in the GitHub Actions?

keith-hall avatar Sep 30 '21 04:09 keith-hall

If you have a folder of build artifacts you can literally just do this at the very end of the process (execute in that folder or change the .):

find . -type f -exec sha256sum {} \; > checksums.txt

And if you develop on mac brew install coreutils should let you run / test it locally and Linux should already have it installed in basically every distro.

The file looks like this:

cat checksums.txt

035b94fd02c844448ba36ef8b4d49a0655ffc49e1aa29b58444c13ef19f1f08f file1
beb5d31babde8ec5f57489a4e8759f8b7e089a6b7545a23f38519ffa2886d649 file2
c8b7960650c1967c1adb8d6bf13adf74d9327e632915393ca0d66ee95ba5c915 file3
08f1fac321f21572e8ff8bea498808ab146ec9d6356f7ed441f382c0724250fb file4

SamMorrowDrums avatar Sep 30 '21 14:09 SamMorrowDrums