Open dcharkes opened 6 months ago
Also an interesting feature: Take an optional SHA256 hash to check against. Doesn't need to be implemented in this PR though.
In cargokit (project I'm hoping to retire the moment native assets are no longer experimental) I use private / public key to check the downloaded binaries. The public key is part of dart package, and when downloading binaries a ed25519_edwards
signature is downloaded alongside to verify that the binary was built by the github workflow (the repository has access to private key as a github secret).
I'm punting this from
package:native_assets_cli
.This should likely live in a separate helper package.
It might implement the shared interface
Builder
: