[FR] - Release artifacts checksums - where???

[den-is]

Where are release artifacts checksums? Either archives or binaries checksums?

[smelc]

@den-is> We didn't produce checksums so far, but I can probably extend the release pipeline to do so. Any opinion on the format of the checksum? I'm thinking something like:

> sha256sum cardano-cli-8.23.0.0-x86_64-linux.tar.gz > cardano-cli-8.23.0.0-x86_64-linux-checksum.txt

And attaching cardano-cli-8.23.0.0-x86_64-linux-checksum.txt as an artifact to the GitHub releases. Would that work for you?

[den-is]

yea this would cut probably better to use SHA256SUMS in the filename, to indicate what checksums are in the file, rather than just "checksums" word.

for example: https://github.com/opentofu/opentofu/releases/download/v1.7.1/tofu_1.7.1_SHA256SUMS Work fine with my automated ansible workflows when I'm able to automatically fetch checksum for a given "binary+version+os+arch"

P.S.: I'm building my Cardano binaries myself. I was not questioning it until recently. I was surprised to not see CHECKSUMS for the project which pretends to be "the only bright future, the most secure, the most reliable, the most auditable, the most... hmmm what else was there in the usual crypto brag"

Can you add checksums to cardano-node pipeline too?

[smelc]

@den-is> I'm going to generate a cardano-cli-8.22.0.0-sha256-sums.txt file with lines being of the form:

56c5590a1e06b94ca7db74dca6be050ae5afe185acca6612a24e1cb3277c6181  cardano-cli-8.23.0.0-x86_64-linux.tar.gz
...

I will propose the same in cardano-node, but it will be up to another team than mine to accept it :+1:

[den-is]

@smelc why not *-sha-256-sums.txt? :) jk. I mean I'have not seen any project splitting "word" sha256sums https://releases.ubuntu.com/24.04/ https://download.rockylinux.org/pub/rocky/9/isos/x86_64/ https://ftp.fau.de/fedora/linux/releases/40/Workstation/x86_64/iso/ and thousand other projects on github

[smelc]

@den-is> changed to -sha256sums.txt suffix :+1: