hauserx
commented
1 month ago Alternative version that would allow to error out if os-arch for current platform is missing:
BAZELISK_VERIFY_SHA256=linux-x86_64:64b0832fd6c57635b9de3711d51beca9c4bf99c6bb3b663249cdbfdca16fb9f1,windows-x86_64:9fb6f439e2eb646b9bae7bd2c0317165c0b08abc0bba25f6af53180fa1f86997
It creates somewhat long lines so still wonder which version to implement.
For stock bazel though I think verifying signature could be better - https://github.com/bazelbuild/bazelisk/issues/15
Bazelisk downloads platform specific version of bazel (windows,linux,etc) and then verifies SHA with value from BAZELISK_VERIFY_SHA256. It does not work if a given project is built on more than one platform.
Possibly bazelisk could search for platform specific SHA, and use those if found:
BAZELISK_VERIFY_SHA256_LINUX_X86_64 BAZELISK_VERIFY_SHA256_WINDOWS_ARM64
If specific variable is not found then it would fallback to BAZELISK_VERIFY_SHA256 as today.