jayvdb
commented
1 month ago https://github.com/taiki-e/install-action also stores checksums in the repo.
In https://github.com/taiki-e/install-action/issues/526 I proposed using aqua as a fallback, but the lack of a central store of pre-computed checksums looks like it will make this more difficult.
Also in that issue I note that the ziglang/zig tool here doesnt have a checksum definition, when https://ziglang.org/download/ does have checksum files available. Are they in a supported format?
suzuki-shunsuke
Feature Overview
Store checksums in registries and verify checksums.
Why is the feature needed?
As you know, aqua has the feature for checksum verification.
https://aquaproj.github.io/docs/reference/security/checksum/
This is very awesome, but this feature is disabled by default. I think it's difficult to enable this feature by default because to enable this feature in Git projects users need to manage aqua-checksums.json with Git, which means users need to update aqua-checksums.json continuously. We provide GitHub Actions and CircleCI Orb to automate the update of aqua-checksums.json, but I don't think most of users set up them. Unfortunately, I don't think most of users are so interested in the checksum verification.
⚠️ This is just my expectation, so maybe this is wrong.
So I don't think most people verify checksums, this is undesirable and dangerous.
By the way, Homebrew verifies checksums transparently by keeping checksums in formula. It's so nice.
So I'm thinking that we store checksums in registries and aqua verifies checksums with them. Users don't need to set up anything but aqua verifies checksums transparently.
This improves the security without harming the user experience.
Workaround
No response
Example Code
No response
Note
No response