Posh-ACME icon indicating copy to clipboard operation
Posh-ACME copied to clipboard
verified publisher icon rmbolger

Provide checksum files

Open jimbju opened this issue 9 months ago • 5 comments

Hi,

Thanks for a great project! Would be great if there were checksum files provided with the releases. Thanks!

jimbju avatar Mar 26 '25 14:03 jimbju

Hey @jimbju, sorry for the delayed response. Do you mean checksums for the auto-generated source code bundles in Github? Or checksums for the packages that get published to the PowerShell Gallery?

Unfortunately, I'm not in control of the process that creates either archive. At the moment, I'd be downloading them as soon as they're created, hashing them myself, and editing the release notes on Github since I can't modify them in the gallery after a version is published.

I'm not against the idea. I'm just not sure how best to accomplish what you're asking and what having the hashes would prove if you're already downloading the packages from the official sources. It looks like even Microsoft only publishes hashes for binary archives in PowerShell releases, not source archives.

rmbolger avatar Apr 05 '25 05:04 rmbolger

Hey! Thanks for reply! I'm not that familiar with GitHub releases so I'm not sure exactly what I'm requesting! :D I'm using another ACME client on my *nix systems and that project produces a checksum file when releasing new versions. https://github.com/go-acme/lego/releases

Not sure how that checksum file gets created though.

jimbju avatar Apr 07 '25 06:04 jimbju

So one big difference between Posh-ACME and Lego is that Lego is written in golang and must be compiled into a binary package before use. Those binary packages are what get the checksums. It's similar to the PowerShell runtime in the fact that both only provide checksums of the binary packages that are attached to a release, but not the source code archives that are automatically generated by Github.

Posh-ACME is a PowerShell module (like a library or plugin) that doesn't require compilation before use (though there are other modules that do). When I publish the module to the PowerShell Gallery site, it's essentially just a zip file of the module directory from the source code archive that the publishing tool creates during the publish process. It also means there's no need for packages specific to a certain CPU architecture like the binary packages have.

When you use Install-Module to install it from powershellgallery.com, the published zip file is automatically extracted back into source form on your local device. There's not really a chance for you to verify the checksum of the file under normal circumstances even if it did exist.

So I guess my question is still, how would you actually use a checksum file in practice if it existed?

rmbolger avatar Apr 07 '25 14:04 rmbolger

I was planning to use the checksum file when downloading the zip from GitHub releases.

jimbju avatar Apr 09 '25 13:04 jimbju

I'll see if I can figure out a way to auto-populate a checksum value in the release notes for the source archives. However, I'm not convinced of the overall usefulness of this assuming you're getting both the source archive and the checksum info from the same place (e.g. Github).

If the goal is to verify that the file you downloaded is legitimate, that presumes an attacker is theoretically able to override the content being served by Github to your browser. But if they were able to do that, they'd also be able to override the checksum data so it matches the overridden archive file, right? It seems like the only way this would be helpful is if your downloading the source archive from a different source than Github and want to make sure it matches the copy available on Github.

rmbolger avatar Apr 10 '25 19:04 rmbolger