search

aquaproj / aqua

Declarative CLI Version manager written in Go. Support Lazy Install, Registry, and continuous update with Renovate. CLI version is switched seamlessly
https://aquaproj.github.io
815 stars 34 forks source link

Verify the checksum #427

Closed suzuki-shunsuke closed 1 year ago

suzuki-shunsuke commented 2 years ago

ref. https://zenn.dev/shunsuke_suzuki/scraps/7cfc2d3a5c6d04

Overview

Verify the checksum of downloaded file, and if the checksum is wrong make the installation failure.

Motivation

Make aqua secure. Prevent the supply chain atack.

Consideration

We have to keep aqua simple. We should avoid making aqua complicated by introducing checksum verification.

Proposal of Specification

When a tool is installed, aqua verifies the checksum as the following.

  1. Download the file in the temporal directory
  2. Calculate the checksum from the downloaded file
  3. Read the file .aqua-checksums.json on the same directory as aqua configuration file. If .aqua-checksums.json isn't found, aqua treats the file is empty
  4. Get the expected checksum of downloaded file from .aqua-checksums.json
  5. If the actual checksum is different from the expected checksum, make the installation failure. If the checksum isn't found in .aqua-checksums.json, the actual checksum is added to .aqua-checksums.json
  6. Install the file

:warning: Note

If the file is falsified before the correct checksum is added to .aqua-checksums.json, it is difficult to detect the falsification.

:bulb: Ignore the specific checksum verification

If you would like to ignore the specific checksum verification, you can do it by removing the checksum from .aqua-checksums.json.

.aqua-checksums.json

Pairs of package id and checksum are recorded.

e.g.

{
  "github_archive/github.com/tfutils/tfenv/v2.2.3": "0b42330aeed675ad3e5dd6063dbd1daabecb36180e515cca1c6e105dd7a1fa49"
}

This file is created and updated by aqua automatically, so you don't have to update this file manually.

Question: Should .aqua-checksums.json be managed with Git?

Coming soon

Algorithm to calculate checksums

sha256 is used for goreleaser by default, so aqua would also support sha256 by default. In future, aqua may support other algorithms too.

Idea: command to update .aqua-checksums.json like terraform providers lock

Coming soon

Future work

Implementation

Reference

suzuki-shunsuke commented 2 years ago
suzuki-shunsuke commented 2 years ago

How to configure

- type: github_release
  repo_owner: suzuki-shunsuke
  repo_name: github-comment
  asset: 'github-comment_{{trimV .Version}}_{{.OS}}_amd64.tar.gz'
  description: CLI to create a GitHub comment
  checksum:
    filename: 'github-comment_{{trimV .Version}}_checksums.txt'
    format: goreleaser
    algorithm: sha256
    # how to extract the checksum from file
suzuki-shunsuke commented 2 years ago

goreleaser

  # Algorithm to be used.
  # Accepted options are sha256, sha512, sha1, crc32, md5, sha224 and sha384.
  # Default is sha256.
  algorithm: sha256
9568289b4cabb368771b2cd92575b9474ced9865b092f13cecf992cfcf908bae  github-comment_4.0.1_linux_amd64.tar.gz
b5c06ff10364f136ccfa65e8bd0a4154bef94d79910fab41413b756c51520224  github-comment_4.0.1_windows_amd64.tar.gz
fb3b75af28078dbeef9c9dde95955fa7877623c8f77d3ebaaba4990764fb6c8e  github-comment_4.0.1_darwin_amd64.tar.gz
suzuki-shunsuke commented 2 years ago

aqua.checksum.json

{
  "packages": [
    {
      "name": "suzuki-shunsuke/github-comment@v4.0.0",
      "assets": [
        {
          "id": "github-comment_4.0.1_linux_amd64.tar.gz",
          "checksum": "9568289b4cabb368771b2cd92575b9474ced9865b092f13cecf992cfcf908bae"
        }
      ]
    }
  ]
}

Create or update file when aqua i is run. Get checksum when file is donwloaded.

suzuki-shunsuke commented 2 years ago

I gave up this idea once, but I reconsider it.

suzuki-shunsuke commented 2 years ago

I've implemented basic feature by #794 . It works as expected, but it is difficult to merge this for now because it harms the user experience of aqua. We have to maintain .aqua-checksums.json. When we update tools by Renovate, we have to update .aqua-checksums.json too. The checksum would be different per OS and CPU architecture. Some users would be confused by unexpected changes of .aqua-checksums.json.

We have to solve the problem.

suzuki-shunsuke commented 2 years ago

I'm working on this.

suzuki-shunsuke commented 2 years ago

aqua.yaml

checksum:
  enabled: true
    checksum:
      type: github_release
      algorithm: sha256
      path: tfcmt_{{trimV .Version}}_checksums.txt
      file_format: regexp
      pattern:
        checksum: ^(.{64})
        file: ^.{64}  (.*)$

tfcmt_3.2.5_checksums.txt

2397316c12b9e8be8756fde576607fe6d0eb7ddc2bc6ed78b55b787167847ecd  tfcmt_darwin_arm64.tar.gz
4e7951939337b45ff150d00b8cef8eba1c011232290d6902b0895740a20dfdb0  tfcmt_linux_arm64.tar.gz
652fced48841530601f7baef6150547820392c0498929e7a7d9a90c298d9abce  tfcmt_windows_arm64.tar.gz
90a36e8d0c373ff22755aa8231c3b37deb3e3f03d3f048017b6c51296114a4cf  tfcmt_windows_amd64.tar.gz
93899f8cce451c007740493f32187625418bebbe7ec9fa975cf865fa65bd5f06  tfcmt_darwin_amd64.tar.gz
e23730b18d1ae83242f0d0b48ceeb2db71f55b5ef44426cc2830f98f8b571a3c  tfcmt_linux_amd64.tar.gz
suzuki-shunsuke commented 2 years ago

Supported package types

Unsupported package types

suzuki-shunsuke commented 2 years ago

aqua update-checksum

Download checksum files and create or update .aqua-checksum.json

$ aqua update-checksum
suzuki-shunsuke commented 2 years ago

Get checksum from checksum files

If checksum isn't found in .aqua-checksums.json, aqua tries to download checksum file and get checksums from it.

suzuki-shunsuke commented 2 years ago

POC: https://github.com/aquaproj/aqua/releases/tag/v1.19.0-0

suzuki-shunsuke commented 2 years ago

✅ Changed the format of .aqua-checksums.json for future update

Add a field checksums.

{
  "checksums": {
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_darwin_amd64.tar.gz": "dc057c1eab3c0e254f7e0a668096ca2dd79216106a3d6597811a0d91709068aa",
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_darwin_arm64.tar.gz": "e163468dac3cf8da437d5da993b6e9874f97e28de7cfc276cac35f6ab03e3410",
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_linux_amd64.tar.gz": "08bbbb54ce7a068f54fcf0e32b3fbd80025eae3f48126296f607223e084cf443",
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_linux_arm64.tar.gz": "f50f44900eae2ebd041f262c93b7f145f0fe8166f9b84e500ad4a05b3677ffb6",
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_windows_amd64.tar.gz": "e3b3f3c454ad1228af5540dff34ac37b7c98ef6c89f99da9069cf7f32204a905",
    "github_release/github.com/suzuki-shunsuke/tfcmt/v3.3.0/tfcmt_windows_arm64.tar.gz": "0e7f26a973afef87c7eb1681fdd639229b96c6f5122197ab56ddfa66f1d9af52"
  }
}

We will add fields in future.

e.g.

{
  "meta": {

  },
  "checksums": {}
}
suzuki-shunsuke commented 2 years ago

https://github.com/aquaproj/aqua-registry/pull/5194

suzuki-shunsuke commented 2 years ago

✅ type: http

https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS

94d1efad05a06c879b9c1afc8a6f7acb2532d33864225605fc766ecdd58d9888  terraform_1.2.6_darwin_amd64.zip
452675f91cfe955a95708697a739d9b114c39ff566da7d9b31489064ceaaf66a  terraform_1.2.6_darwin_arm64.zip
1bedf7564838493f7cd9cb72544996c27dcfbbae9bf5436ef334e865515e6f24  terraform_1.2.6_freebsd_386.zip
353b21367e5eb9804cfba3140e786c5c149c10098b2a54aa5be3ec30c8425be0  terraform_1.2.6_freebsd_amd64.zip
47aa169b52c4b566f37d9f39f41cfc34ee2e4152641a9109c2767f48007b2457  terraform_1.2.6_freebsd_arm.zip
3d6c0dc8836dbfcfc82e6ba69891f21bfad6a09116e6ddf7a14187b8ee0acce5  terraform_1.2.6_linux_386.zip
9fd445e7a191317dcfc99d012ab632f2cc01f12af14a44dfbaba82e0f9680365  terraform_1.2.6_linux_amd64.zip
322755d11f0da11169cdb234af74ada5599046c698dccc125859505f85da2a20  terraform_1.2.6_linux_arm64.zip
ed49a5422ca51cbc90472a754979f9bbba5f0c39f6a0abe570e525bbae4e6540  terraform_1.2.6_linux_arm.zip
426d39f1b87bf5dbda3ebb4585483288dba09c36731d5cae146f29df0119036c  terraform_1.2.6_openbsd_386.zip
5b0c59ffe5f83363b20f74df428490b95ff81f53348f8c8394519768085f3eef  terraform_1.2.6_openbsd_amd64.zip
64e70edf5af0e77f54d111ae318282aebcdaa33e8dd545b93881fd421dc4d982  terraform_1.2.6_solaris_amd64.zip
f26acca0060c42c0e6fb81d268fbf4ab9baac3d5f34c8263ecdb48c0a78f905b  terraform_1.2.6_windows_386.zip
1e3c884cf32879646f97b8b6a253686710eb6e445d44097580a27511a49db88b  terraform_1.2.6_windows_amd64.zip
    checksum:
      type: http
      algorithm: sha256
      url: https://releases.hashicorp.com/terraform/{{trimV .Version}}/terraform_{{trimV .Version}}_SHA256SUMS
      file_format: regexp
      pattern:
        checksum: ^(.{64})
        file: ^.{64}  (.*)$
http/releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_arm64.zip/terraform
  - type: http
    repo_owner: hashicorp
    repo_name: terraform
    url: https://releases.hashicorp.com/terraform/{{trimV .Version}}/terraform_{{trimV .Version}}_{{.OS}}_{{.Arch}}.zip
    description: Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned
    supported_envs:
      - linux
      - darwin
      - amd64
    checksum:
      type: http
      algorithm: sha256
      url: https://releases.hashicorp.com/terraform/{{trimV .Version}}/terraform_{{trimV .Version}}_SHA256SUMS
      file_format: regexp
      pattern:
        checksum: ^(.{64})
        file: ^.{64}  (.*)$
    version_constraint: semver(">= 1.0.2")
    version_overrides:
      - version_constraint: "true"
        rosetta2: true
suzuki-shunsuke commented 2 years ago

Require checksum

aqua.yaml

checksum:
  enabled: true
  require_checksum: true

If checksum isn't found in .aqua-checksums.json, it failed to install tools. You have to run aqua update-checksum in advance.

suzuki-shunsuke commented 2 years ago

✅ Generate checksum config in aqua gr command

$ aqua gr suzuki-shunsuke/tfcmt
packages:
  - type: github_release
    repo_owner: suzuki-shunsuke
    repo_name: tfcmt
    asset: tfcmt_{{.OS}}_{{.Arch}}.tar.gz
    description: Fork of mercari/tfnotify. tfcmt enhances tfnotify in many ways, including Terraform >= v0.15 support and advanced formatting options
    checksum:
      type: github_release
      path: tfcmt_{{trimV .Version}}_checksums.txt
      file_format: regexp
      pattern:
        checksum: ^(.{64})
        file: ^.{64}  (.*)$
suzuki-shunsuke commented 2 years ago

✅ Patch checksum config

https://github.com/aquaproj/registry-tool

$ aqua-registry patch-checksum registry.yaml
suzuki-shunsuke commented 2 years ago

✅ We have to support SHA512

asciigraph_0.5.5_sha512-checksums.txt

https://github.com/guptarohit/asciigraph/releases/tag/v0.5.5

https://pkg.go.dev/crypto/sha512

https://zenn.dev/shunsuke_suzuki/scraps/45a1c23d26b337

suzuki-shunsuke commented 2 years ago

✅ Rename github_release's path attribute to asset.

suzuki-shunsuke commented 2 years ago

Configuration

e.g.

aqua.yaml

checksum:
  enabled: true
  require_checksum_in_advance: true
  create_json: true
  require_checksum: false
  save_calculated_checksum: false
  excludes:
    - name: foo
      version: <= 1.0.0
      envs:
        - darwin
        - linux/amd64
    - registry: foo
attribute default description
enabled true Enable checksum verification
require_checksum_in_advance false When this is true, it fails to install a package if the checksum isn't found in .aqua-checksums.json in advance install
create_json false If this is true, aqua creates .aqua-checksums.json. Otherwise, aqua verifies checksum only downloading checksum file.
require_checksum false If this is true, it fails to install packages without checksum. This forbids to install packages without checksum configuration
save_calculated_checksum false If this is true, aqua adds a checksum calcurated from downloaded asset when the checksum isn't found in .aqua-checksums.json and checksum file
excludes [] Disable checksum verification in the specific packages and registries

excludes

All attributes are AND condition.

attribute description
name package name. Glob support
version version constraint
envs os and arch
registry registry name
suzuki-shunsuke commented 2 years ago

Exclude unneeded os/arch checksum from .aqua-checksums.json

suzuki-shunsuke commented 2 years ago

Checklist

status

emoji description
It is difficult to support
🔺 Currently, it is difficult to support, but let's consider to support later
👻 checksum file doesn't exist
it works
status package note
👻 1xyz/pryrite
99designs/aws-vault
👻 Aloxaf/silicon
Arriven/db1000n
👻 Azure/aks-engine
Azure/aztfy
BeryJu/korb
BurntSushi/ripgrep
Cian911/switchboard
CircleCI-Public/circleci-cli
ClementTsang/bottom
Dreamacro/clash
FairwindsOps/nova
FairwindsOps/pluto
FairwindsOps/polaris
FairwindsOps/rbac-lookup
FiloSottile/age
FiloSottile/mkcert
GoodwayGroup/gwvault
GoogleCloudPlatform/terraformer/aws
GoogleCloudPlatform/terraformer
GoogleContainerTools/container-diff
GoogleContainerTools/container-structure-test
GoogleContainerTools/kpt
GoogleContainerTools/skaffold
Jarred-Sumner/bun
Jeffail/benthos
Kong/deck
Ladicle/kubectl-rolesum
Lallassu/gorss
LukeChannings/deno-arm64
MiSawa/xq
Mic-U/ecsher
MusicDin/kubitect
PaulJuliusMartinez/jless
Peltoche/lsd
Percona-Lab/mysql_random_data_load
Phantas0s/devdash
Praqma/helmsman
🔺 Rigellute/spotify-tui It is difficult to support
Schniz/fnm
Shopify/ejson
Shopify/kubeaudit
Songmu/ecschedule
Songmu/ghch
Songmu/ghg
Songmu/gocredits
Songmu/gotesplit
Songmu/goxz
Songmu/horenso
SpectralOps/teller
TaKO8Ki/frum
TaKO8Ki/gobang
TheZoraiz/ascii-image-converter
TimothyYe/skm
TomWright/dasel
Traackr/binnacle
Trendyol/kink
Versent/saml2aws
Wilfred/difftastic
WoozyMasta/kube-dump
XAMPPRocky/tokei
🔺 abiosoft/colima https://github.com/aquaproj/aqua/issues/427#issuecomment-1207557765
abs-lang/abs
acorn-io/acorn
aelsabbahy/goss/dcgoss
aelsabbahy/goss/dgoss
aelsabbahy/goss/kgoss
aelsabbahy/goss
ahmetb/kubectl-tree
ahmetb/kubectx/kubens
ahmetb/kubectx
ajeetdsouza/zoxide
alexellis/arkade
alexellis/k3sup
amacneil/dbmate
anchore/grype
anchore/syft
andreazorzetto/yh
anqiansong/github-compare
antonmedv/fx
antonmedv/llama
apache/camel-k
aporia-ai/kubesurvival
aquaproj/aqua-installer
aquaproj/registry-tool
aquasecurity/chain-bench
aquasecurity/kube-bench
aquasecurity/kubectl-who-can
aquasecurity/starboard
aquasecurity/tfsec
aquasecurity/trivy
arduino/arduino-cli
argoproj-labs/argocd-autopilot
argoproj-labs/argocd-image-updater
argoproj/argo-cd
argoproj/argo-rollouts
argoproj/argo-workflows
aristocratos/btop
arl/gitmux
armosec/kubescape
arrow2nd/nekome
arttor/helmify
asciimoo/wuzz
astefanutti/kubebox
aws-containers/amazon-ecs-exec-checker
aws/amazon-ec2-instance-selector
aws/aws-cli
aws/copilot-cli
awslabs/amazon-ecr-credential-helper
awslabs/git-secrets
awslabs/ssosync
b3nj5m1n/xdg-ninja
b4b4r07/afx
b4b4r07/changed-objects
b4b4r07/gist
b4b4r07/git-bump
b4b4r07/github-labeler
b4b4r07/gomi
b4b4r07/iap_curl
b4b4r07/stein
barnybug/cli53
batchcorp/plumber
bats-core/bats-core
bcicen/ctop
bcicen/slackcat
becheran/roumon
benbjohnson/litestream
benchkram/bob
bengadbois/pewpew
bitnami-labs/sealed-secrets
blacknon/hwatch
bojand/ghz
bootandy/dust
boz/kail
bridgecrewio/yor
brigadecore/brigade
bronze1man/yaml2json
budimanjojo/talhelper
bufbuild/buf
buildkite/agent
buildkite/cli
buildpacks/pack
c-bata/kube-prompt
c1982/bomberman
caarlos0/fork-cleaner
cantino/mcfly
casey/just
cea-hpc/sshproxy
chanzuckerberg/fogg
charmbracelet/glow
charmbracelet/gum
che-incubator/chectl
cheat/cheat
chmln/sd
chriswalz/bit
civo/cli
cli/cli
clog-tool/clog-cli
cloud-hypervisor/cloud-hypervisor/ch-remote
cloud-hypervisor/cloud-hypervisor
cloudflare/cfssl/mkbundle
cloudflare/cfssl
cloudflare/cloudflared
cloudflare/gokey
cloudfoundry/bosh-cli
cloudfoundry/credhub-cli
cloudposse/atmos
cloudspannerecosystem/wrench
cloudspannerecosystem/yo
cnrancher/autok3s
codeclimate/test-reporter
coder/coder
codesenberg/bombardier
compose/transporter
containerd/nerdctl
controlplaneio/kubesec
corneliusweig/ketall
corneliusweig/rakkess/access-matrix
corneliusweig/rakkess
cortesi/modd
cosmtrek/air
crate-ci/typos
create-go-app/cli
crossplane/crossplane
cswank/kcli
cue-lang/cue
cyberark/kubeletctl
cycloidio/inframap
dagger/dagger
dalance/procs
dandavison/delta
danielfoehrKn/kubeswitch
danielfoehrKn/kubeswitch/switch-sh
dapr/cli
databricks/click
datanymizer/datanymizer
datastax-labs/astra-cli
datreeio/datree
ddddddO/gtree
ddosify/ddosify
deepmap/oapi-codegen
denisidoro/navi
denoland/deno
derailed/k9s
derailed/popeye
deref/exo
deviceinsight/kafkactl
devops-works/dw-query-digest
devops-works/egress-auditor
dhall-lang/dhall-haskell
digitalocean/doctl
direnv/direnv
dnnrly/abbreviate
docker-slim/docker-slim
docker/cli
docker/cli/rootless
docker/compose
doitintl/kube-no-trouble
dolthub/dolt
dominikh/go-tools/staticcheck
dotenv-linter/dotenv-linter
dprint/dprint
drlau/akashi
dstotijn/hetty
dtan4/k8stail
ducaale/xh
dundee/gdu
dutchcoders/cloudman
dwisiswant0/tlder
earthly/earthly
editorconfig-checker/editorconfig-checker
ekalinin/github-markdown-toc
ekzhang/bore
emirozer/kubectl-doctor
env0/terratag
ernoaapa/kubectl-warp
errata-ai/vale
erroneousboat/slack-term
evilmartians/lefthook
exoscale/cli
extrawurst/gitui
fabpot/local-php-security-checker
fatedier/frp
ffuf/ffuf
fiatjaf/jiq
firecracker-microvm/firecracker
fishi0x01/vsh
fission/fission
flosell/iam-policy-json-to-terraform
fluxcd/flux2
fsaintjacques/semver-tool
fujiwara/lambroll
fujiwara/tfstate-lookup
fujiwara/tracer
fullstorydev/grpcurl
gabrie30/ghorg
gcla/termshark
genuinetools/img
genuinetools/reg
geofffranks/spruce
getsentry/sentry-cli
getzola/zola
ginuerzh/gost
git-chglog/git-chglog
git-lfs/git-lfs
github.com/zeromicro/go-zero/tools/goctl
github/hub
github/licensed
gleam-lang/gleam
go-jira/jira
go-swagger/go-swagger
go-task/task
goccy/kubetest
gocruncher/jenkins-job-cli
gohugoio/hugo
gojuno/minimock
gokcehan/lf
golang-migrate/migrate
golang.org/x/perf/cmd/benchstat
golang.org/x/tools/cmd/goimports
golang.org/x/tools/gopls
golang/go
golang/mock
golangci/golangci-lint
gomods/athens
goodwithtech/dockle
google/go-containerregistry
google/go-jsonnet
google/jsonnet
google/ko
google/pprof
google/wire
gopasspw/gopass
goreleaser/goreleaser
goreleaser/nfpm
gotestyourself/gotestsum
grafana/grafana-kiosk
grafana/grizzly
grafana/k6
grafana/loki/logcli
grafana/tanka
greymd/teip
grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
grpc-ecosystem/grpc-gateway/protoc-gen-openapiv2
grpc/grpc-go/protoc-gen-go-grpc
gruntwork-io/kubergrunt
gruntwork-io/terragrunt
gsamokovarov/jump
hadolint/hadolint
hairyhenderson/gomplate
harelba/q
harness/drone-cli
hashicorp/consul
hashicorp/go-getter
hashicorp/levant
hashicorp/nomad
hashicorp/packer
hashicorp/terraform-ls
hashicorp/terraform-plugin-docs
hashicorp/terraform
hashicorp/vault
hashicorp/waypoint
haskell/cabal/cabal-install
haskell/ghcup-hs
hasura/graphql-engine
heartbeatsjp/check-tls-cert
helm/chart-releaser
helm/chart-testing
helm/helm
helmwave/helmwave
hetznercloud/cli
hhatto/gocloc
hidetatz/kubecolor
high-moctane/mocword
high-moctane/nextword
hktalent/scan4all
hmarr/codeowners
homeport/dyff
homeport/havener
iann0036/iamlive
iawia002/lux
im2nguyen/rover
incu6us/goimports-reviser
influxdata/influx-cli
infracost/infracost
inlets/inlets-pro
inlets/inletsctl
instrumenta/kubeval
int128/ghcp
int128/kauthproxy
int128/kubectl-external-forward
int128/kubelogin
int128/yamlpatch
iovisor/kubectl-trace
ipfs/kubo
istio/istio/istioctl
itamae-kitchen/mitamae
itchyny/gojo
itchyny/gojq
itchyny/mmv
ivanilves/lstags
jacobdeichert/mask
jamesob/desk
jenkins-zh/jenkins-cli
jesseduffield/horcrux
jesseduffield/lazydocker
jesseduffield/lazygit
jetstack/cert-manager/cmctl
jez/as-tree
jiro4989/ojosama
jiro4989/relma
jiro4989/textimg
joehillen/sysz
johanhaleby/kubetail
johnkerl/miller
jonaslu/ain
joshdk/retry
jpillora/chisel
jreisinger/checkip
jreleaser/jreleaser
jreleaser/jreleaser/standalone
jsonnet-bundler/jsonnet-bundler
jtyr/gbt
juliosueiras/terraform-lsp
junegunn/fzf/fzf-tmux
junegunn/fzf
k0sproject/k0s
k0sproject/k0sctl
kanisterio/kanister
kastenhq/external-tools/k10multicluster
kastenhq/external-tools/k10tools
kastenhq/kubestr
katbyte/terrafmt
kayac/ecspresso
kdabir/has
kevwan/depu
kevwan/tproxy
kitabisa/teler
knative/client
knqyf263/cob
knqyf263/pet
knqyf263/utern
ko1nksm/shdotenv
koalaman/shellcheck
kool-dev/kool
kopia/kopia
kreuzwerker/awsu
kreuzwerker/envplate
kreuzwerker/m1-terraform-provider-helper
ktock/buildg
ktr0731/evans
kubecost/kubectl-cost
kubemq-io/kubemqctl
kubernetes-sigs/cluster-api
kubernetes-sigs/controller-tools/controller-gen
kubernetes-sigs/kind
kubernetes-sigs/krew https://github.com/kubernetes-sigs/krew/releases/tag/v0.4.3
kubernetes-sigs/kubebuilder
kubernetes-sigs/kubefed
kubernetes-sigs/kustomize
kubernetes/kompose
kubernetes/kops https://github.com/kubernetes/kops/releases/tag/v1.24.1
kubernetes/kubectl
kubernetes/minikube
kubesphere/kubeeye
kudobuilder/kuttl
kurehajime/dajarep
kurehajime/kuzusi
kurehajime/pong-command
kvaps/kubectl-node-shell
kvz/json2hcl
kyleconroy/sqlc
kyoh86/richgo
lc/gau
liamg/comet
liamg/dismember
liamg/extrude
liamg/gitjacker
liamg/memit
liamg/pax
liamg/scout
liamg/traitor
liggitt/audit2rbac
lima-vm/lima
livebud/bud
loft-sh/devspace
loft-sh/vcluster https://github.com/loft-sh/vcluster/releases/tag/v0.11.0
lotabout/skim
maaslalani/slides
magefile/mage
mantil-io/mantil
marcosnils/bin
marp-team/marp-cli
mattn/efm-langserver
mattn/gof
mattn/goreman
mattn/memo
megaease/easeprobe
mercari/hcledit
mercari/tfnotify
mergestat/mergestat
mgdm/htmlq
microsoft/ripgrep-prebuilt
mikefarah/yq
miku/zek
minamijoyo/hcledit
minamijoyo/tfmigrate
minamijoyo/tfschema
minamijoyo/tfupdate
miniscruff/changie
minishift/minishift https://github.com/minishift/minishift/releases/tag/v1.34.3
mitchellh/gox
mkchoi212/fac
mongodb/mongocli
mozilla/sops
mpostument/awstaghelper
msoap/shell2http
mszostok/codeowners-validator
muesli/duf
mumoshu/config-registry
mumoshu/variant
mumoshu/variant2
mvdan/gofumpt
mvdan/sh
naggie/dstask/dstask-import
naggie/dstask
nakabonne/ali
nametake/golangci-lint-langserver
nektos/act
neovim/neovim
newrelic/newrelic-cli
nikochiko/autosaved
ninja-build/ninja
noborus/trdsql
nojima/httpie-go
norwoodj/helm-docs
npryce/adr-tools
numtide/treefmt https://github.com/numtide/treefmt/releases/tag/v0.4.1
nushell/nushell
o2sh/onefetch
oam-dev/kubevela/kubectl-plugin
oam-dev/kubevela
ogham/dog
ogham/exa
okteto/okteto
open-policy-agent/conftest
open-policy-agent/opa
openfaas/faas-cli
operator-framework/operator-registry
operator-framework/operator-sdk
optiv/Mangle
orf/gping
orhun/git-cliff
orisano/dlayer
ossf/scorecard
owenthereal/upterm
ozankasikci/dockerfile-generator
pacedotdev/oto
particledecay/kconf
peak/s5cmd
peco/peco
pemistahl/grex
pen-lang/pen
pglet/pglet
phiresky/ripgrep-all
pivotal-cf/om
pivotal-cf/pivnet-cli
planetscale/cli
plexsystems/sinker
porter-dev/porter
postfinance/kubectl-sudo
praetorian-inc/gokart
pressly/goose
profclems/glab
projectdiscovery/httpx
projectdiscovery/naabu https://github.com/projectdiscovery/naabu/releases/tag/v2.1.0
projectdiscovery/nuclei
projectdiscovery/subfinder
projectdiscovery/tlsx
protocolbuffers/protobuf-go/protoc-gen-go
pulumi/kubespy
pulumi/pulumi
pulumi/tf2pulumi
quarkslab/kdigger
rancher/cli
rancher/k3d
rancher/kim
rancher/rke
rapiz1/catp
rclone/rclone
rebuy-de/aws-nuke
replicatedhq/kots
replicatedhq/outdated
restic/restic
reviewdog/reviewdog
rhysd/actionlint
rhysd/hgrep
rhysd/vim-startuptime
rikatz/kubepug
rlmcpherson/s3gof3r
roboll/helmfile
robscott/kube-capacity
rogerwelin/cassowary
ropnop/kerbrute
rs/curlie
rust-lang/mdBook
rust-lang/rust-analyzer
ryane/kfilt
s0md3v/Smap
sachaos/note
sachaos/tcpterm
sachaos/todoist
sachaos/toggl
sachaos/viddy
sahilm/yamldiff
sanathp/statusok
sbstp/kubie
scaleway/scaleway-cli
schollz/croc
sclevine/yj
securego/gosec
segmentio/chamber
sethvargo/ratchet
sharkdp/bat
sharkdp/diskus
sharkdp/fd
sharkdp/hexyl
sharkdp/hyperfine
sharkdp/pastel
sheepla/fzwiki
sheepla/longgopher
sheepla/pingu
sheepla/qiitaz
sheepla/srss
shellspec/shellspec
shipyard-run/shipyard
shyiko/kubesec
siderolabs/conform
siderolabs/talos
siderolabs/theila
sigstore/cosign
sigstore/gitsign
sigstore/rekor
six-ddc/plow
skanehira/gjo
slackhq/nebula
slok/sloth
slsa-framework/slsa-verifier
snyk/driftctl
soywod/himalaya
spinnaker/spin
sqshq/sampler
squat/kilo
sstadick/crabz
stackrox/kube-linter
🔺 starship/starship https://github.com/aquaproj/aqua/issues/427#issuecomment-1207557765
stedolan/jq
stepchowfun/docuum
stern/stern
stoplightio/spectral
sumneko/lua-language-server
suzuki-shunsuke/akoi
suzuki-shunsuke/asciinema-trim
suzuki-shunsuke/checkout-merged-branch-with-ci-info
suzuki-shunsuke/ci-info
suzuki-shunsuke/ci-renovate-config-validator
suzuki-shunsuke/circleci-config-merge
suzuki-shunsuke/cmdx
suzuki-shunsuke/dd-time
suzuki-shunsuke/discussion-slack-notifier
suzuki-shunsuke/durl
suzuki-shunsuke/git-rm-branch
suzuki-shunsuke/github-comment
suzuki-shunsuke/matchfile
suzuki-shunsuke/renovate-issue-action
suzuki-shunsuke/tfcmt
suzuki-shunsuke/yaml2json
swaggo/swag
sysdiglabs/kube-psp-advisor
taskctl/taskctl
tcnksm/ghr
tektoncd/cli
telepresenceio/telepresence
temporalio/tctl
temporalio/temporal
tenable/terrascan
terraform-docs/terraform-docs
terraform-linters/tflint
tfmigrator/cli
tfutils/tfenv
thazelart/terraform-validator
theryangeary/choose
thought-machine/please
tilt-dev/ctlptl
tilt-dev/tilt
timdp/lwc
tinygo-org/tinygo
tkuchiki/alp
tmccombs/hcl2json
tomnomnom/gron
trufflesecurity/driftwood
trufflesecurity/trufflehog
tsenart/vegeta
turbot/steampipe
twpayne/chezmoi
txn2/kubefwd
up9inc/mizu
updatecli/updatecli
uptrace/uptrace
uw-labs/strongbox
uzimaru0000/tv
variantdev/vals
vektra/mockery
vi/websocat
vishaltelangre/ff
visma-prodsec/confused
vmware-tanzu/carvel-imgpkg
vmware-tanzu/carvel-kapp
vmware-tanzu/carvel-kbld
vmware-tanzu/carvel-kwt
vmware-tanzu/carvel-vendir
vmware-tanzu/carvel-ytt
vmware-tanzu/octant
vmware-tanzu/velero
wader/fq
wagoodman/dive
wallix/awless
watchexec/watchexec
weaveworks/eksctl
webdevops/go-crond
windvalley/gossh
wtfutil/wtf
x-motemen/ghq
xiecat/fofax
xitonix/trubka
xo/usql
xtaci/kcptun
xwjdsh/manssh
xxxserxxx/gotop
yannh/kubeconform
ycd/dstp
yohamta/dagu
zaquestion/lab
zegl/kube-score
zellij-org/zellij
ziglang/zig
zigtools/zls
zix99/rare
zricethezav/gitleaks
suzuki-shunsuke commented 2 years ago

https://github.com/Rigellute/spotify-tui/releases/tag/v0.25.0

It is difficult to support.

image

https://github.com/abiosoft/colima/releases/tag/v0.4.4

image

https://github.com/starship/starship/releases/tag/v1.9.1

suzuki-shunsuke commented 2 years ago

How to support multiple checksum files

    checksum:
      type: github_release_multifile
      asset: spotify-tui-{{.OS}}.sha256
      file_format: raw
suzuki-shunsuke commented 2 years ago

Published the document. https://aquaproj.github.io/docs/reference/checksum

suzuki-shunsuke commented 2 years ago

Published the prerelease version. https://github.com/aquaproj/aqua/releases/tag/v1.20.0-0-checksum

suzuki-shunsuke commented 2 years ago

https://github.com/aquaproj/aqua/releases/tag/v1.20.0-1-checksum

suzuki-shunsuke commented 2 years ago

✅ Support both aqua-checksums.json and .aqua-checksums.json. If .?aqua-checksums\.json isn't found, aqua creates aqua-checksums.json.

I dislike the convention of ., but this is widely accepted so aqua supports this convention too.

suzuki-shunsuke commented 2 years ago

https://github.com/aquaproj/aqua/releases/tag/v1.20.0-2-checksum

suzuki-shunsuke commented 2 years ago

Disabled the checksum verification once and merged https://github.com/aquaproj/aqua/pull/1070 Then I created https://github.com/aquaproj/aqua/pull/1118

suzuki-shunsuke commented 2 years ago

Trouble shooting

parse a checksum file: no checksum is extracted

FATA[0001] aqua failed                                   aqua_version= env=darwin/arm64 error="parse a checksum file: no checksum is extracted" program=aqua

Probably this means the package's registry configuration is wrong.

If you use the standard registry, please create an issue or pull request to aquaproj/aqua-registry.

suzuki-shunsuke commented 1 year ago

Finally, aqua now supports the Checksum Verification. 🎉

https://github.com/aquaproj/aqua/releases/tag/v1.20.0

This was very tough work.

Please let me try and give us your feedback!

https://aquaproj.github.io/docs/reference/checksum