Noxime
commented
1 month ago Hi, this definitely could be automated. So far I have manually verified the sha1 hashes of PR'd updates or updated the files myself, but humans can of course make mistakes or forget. A GH Action could do it very reliably. I will see about adding it as a check.
Recently saw that you can just open the pull request with the steamworks binaries in it for an update. So it will be good to automatically check the hashes of those binaries or better the whole
./steamworks-sys/lib/steam/directory in case someone wants to inject malicious code in. Since it's probably possible to download steamworks lib by a direct url without any restrictions, it should also be possible to implement something likeread steamworks version from file->get the archive from https://partner.steamgames.com/downloads/steamworks_sdk_<version here without dot>.zip->unpack->get the hash of both unpacked archive and current commit->compare it!.Hope you checked the hashes every time someone made a pull request with a steamworks update or really trust the people who made and continue to make these updates!