volta icon indicating copy to clipboard operation
volta copied to clipboard
verified publisher icon volta-cli

Use checksums for cached distributions

Open mikrostew opened this issue 7 years ago • 1 comments

NOTE: this issue predates this project's rename to Volta.

We should verify the checksums of the distributions downloaded by Notion, to:

  • verify the downloaded distro is correct, and
  • verify the cached distro is valid

Node

Node distributions have a corresponding sha256sum file at https://nodejs.org/dist/vx.y.z/SHASUMS256.txt (see https://github.com/nodejs/node#verifying-binaries).

We should download that checksum, and can verify it using the sha2 crate.

Yarn

Short-term, we will need to add checksums to https://github.com/notion-cli/yarn-releases, and verify those.

Long-term, we will probably get yarn from github (at https://github.com/yarnpkg/yarn/releases). But they don't include checksums with those releases, or through the API (e.g. https://api.github.com/repos/yarnpkg/yarn/releases/latest) – not sure what we can use for that.

mikrostew avatar Aug 27 '18 17:08 mikrostew