Closed jmmv closed 1 year ago
Wohoo. Tests pass now in all platforms and I have rebased this to resolve conflicts. Any thoughts on this @fweikert ?
@fweikert Thanks for the quick response! Now I'd like to divert your attention to https://github.com/bazelbuild/bazelisk/pull/427 but I first need to fix merge conflicts caused by this PR :)
The new BAZELISK_VERIFY_SHA256 variable can be set to the expected SHA256 hash of the downloaded Bazel binary. If set, then the binary is required to match the hash before it is used.
This is important for cases where provenance of the artifact cannot be asserted purely via the HTTPS trust chain (such as what happens in a mutable artifact repository with lax access controls).