Open ebb-earl-co opened 6 months ago
Checksums seem to be not a big problem: I just added a one-line Python "program" from shell invocation:
python3 -c "from hashlib import sha256;from pathlib import Path;Path('tidal-wave_macos_amd64.sha256').write_text(f'''{sha256(Path('./dist/tidal-wave_macos_amd64').read_bytes()).hexdigest()}\ttidal-wave_macos_amd64''')"
Issue 1: Cryptographically Signing Release Artifacts
It seems to be rather poor practice offering release artifacts, and, in 2024, not to sign them!
Options To Solve the Issue
age
minisign
Consideration
I already use
GnuPG
to sign all of my commits, so it would be natural to use that same signing key for this project's release artifacts...Issue 2: Providing Checksums of Release Artifacts
There must be a GitHub action that automatically creates checksums of artifacts! (The most popular one only has 8 stars!?)
Options to Solve the Issue
At the very least
BLAKE3
is the future (?)Consideration
How difficult would it be to roll my own GitHub actions workflow that checksums and signs release artifacts, then adds new release artifacts containing the signatures of the binaries as well as a CHECKSUMS text file?