Request: possible to publish sha256sum along with binaries?

[luislavena]

Hello folks,

Thanks for creating and releasing both overmind and hivemind, these have become the first tool in my toolbelt for development! 😍

Background:

Until recently I've been using only with linux/amd64 binaries with Docker, but more and more, linux/arm64 (aarch64) is becoming popular.

In order to ensure integrity of overmind/hivemind installation, I've been using the following approach in my Dockerfiles:

ENV OVERMIND_VERSION=2.2.1 \
    OVERMIND_SHA256=4a425e8654219014bb7ea127eab6f8c6c2325418814a7c128a4355f4e06b4a79

RUN --mount=type=cache,target=/var/cache/apk \
    set -eux; \
    apk add \
        tmux \
    ; \
    { \
        curl --fail --progress-bar -Lo overmind.gz https://github.com/DarthSim/overmind/releases/download/v${OVERMIND_VERSION}/overmind-v${OVERMIND_VERSION}-linux-amd64.gz; \
        echo "${OVERMIND_SHA256} *overmind.gz" | sha256sum -c - >/dev/null 2>&1; \
        zcat overmind.gz > /usr/local/bin/overmind; \
        chmod +x /usr/local/bin/overmind; \
        rm overmind.gz; \
    }; \
    # smoke test
    [ "$(command -v overmind)" = '/usr/local/bin/overmind' ]; \
    overmind --version | grep -q "${OVERMIND_VERSION}"

Which checks the downloaded package against the computed SHA256 of the file. While limited, it aims to provide some reproducible builds.

However, with the introduction of multiple platforms (and the detection, not showing in the snippet), will be better to download the SHA256 of each binary to validate its integrity.

Request:

Will be possible to publish a .sha256sum along each of the packages? (Eg. overmind-v2.2.1-linux-amd64.gz.sha256sum) Or just one for all files in the same release?

Thank you in advance and once again, thank you for creating and sharing Overmind and Hivemind with the world! ❤️ ❤️ ❤️

Cheers.

[DarthSim]

Hey Luis! Added sums to the latest release

[luislavena]

Thank you @DarthSim!!!

Have a great week! ❤️ ❤️ ❤️