Checksums and GPG Signing for Release Artifacts

[ebb-earl-co]

Issue 1: Cryptographically Signing Release Artifacts

It seems to be rather poor practice offering release artifacts, and, in 2024, not to sign them!

Options To Solve the Issue

• PGP
• age
• minisign

Consideration

I already use GnuPG to sign all of my commits, so it would be natural to use that same signing key for this project's release artifacts...

Issue 2: Providing Checksums of Release Artifacts

There must be a GitHub action that automatically creates checksums of artifacts! (The most popular one only has 8 stars!?)

Options to Solve the Issue

At the very least

• MD5
• SHA256, for legacy and the fact that 2 to the 256 power is mind-bogglingly large
• BLAKE3 is the future (?)

Consideration

How difficult would it be to roll my own GitHub actions workflow that checksums and signs release artifacts, then adds new release artifacts containing the signatures of the binaries as well as a CHECKSUMS text file?

[ebb-earl-co]

Checksums seem to be not a big problem: I just added a one-line Python "program" from shell invocation:

python3 -c "from hashlib import sha256;from pathlib import Path;Path('tidal-wave_macos_amd64.sha256').write_text(f'''{sha256(Path('./dist/tidal-wave_macos_amd64').read_bytes()).hexdigest()}\ttidal-wave_macos_amd64''')"