edit icon indicating copy to clipboard operation
edit copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Add asset hashes (Checksums) to releases

Open Frulfump opened this issue 6 months ago • 5 comments

This makes it possible to verify them after download. This is done for Terminal https://github.com/microsoft/terminal/releases Please add instructions for how to verify to the README.md as well.

Frulfump avatar May 22 '25 09:05 Frulfump

Looks like this will be automated by Github in the future https://github.com/github/roadmap/issues/1136

Frulfump avatar May 29 '25 19:05 Frulfump

Looks like this will be automated by Github in the future https://github.com/github/roadmap/issues/1136

This is released now https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/

Frulfump avatar Jun 04 '25 23:06 Frulfump

It seems as if existing uploads don't get these?

lhecker avatar Jun 05 '25 13:06 lhecker

It seems as if existing uploads don't get these?

Yeah I think that might be the case, unless they run some type of background job to calculate it after the fact but that sounds infeasible for all old releases across GitHub.

The blog says "These digests are generated at upload time, immutable, and let you verify that downloaded assets haven’t been altered since publishing." (my emphasis in bold) so I interpret that as it's probably only for new releases but the blog is unclear and I would have appreciated them not being so terse.

But it also says "You can view or retrieve asset checksums anywhere you access releases:

The GitHub Releases UI, next to each asset
The [Releases REST API](https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#get-a-release)
The [GraphQL API](https://docs.github.com/en/graphql/reference/objects#releaseasset)
The [gh CLI](https://cli.github.com/manual/gh_release_view)"

But I looked at couple of releases from other projects that released yeasterday and today and didn't see any digests. A but surprised they didn't include any screenshots to show what it looks like.

Frulfump avatar Jun 06 '25 11:06 Frulfump

https://github.com/microsoft/edit/releases/tag/v1.2.0 now lists checksums for some assets

Image

So maybe there was just some deployment delay/feature roll out delay.

There are non for the Source code (zip) Source code (tar.gz)

Frulfump avatar Jun 26 '25 12:06 Frulfump

For now, that's good enough for me. I'll close this issue. We can consider having official source tarballs in the future.

lhecker avatar Jun 26 '25 15:06 lhecker