Essentially, "How do we know the image we're downloading is the same one that got built?". The checksum on the website verifies that the file you're downloading is the one we published. But how do people know the file we published is the one we built?
This sort of goes into the whole issue of reproducible builds, which is something that we don't do, and is pretty hard to do. But a really easy extra step we can do here is output the generated SHA256 sum to the build log, so that curious people can at least verify that the image built in GitHub actions is the same one we publish to the website.
Someone raised an interesting point here: https://www.reddit.com/r/elementaryos/comments/qv3rrz/how_do_end_users_know_that_the_image_we_are/
Essentially, "How do we know the image we're downloading is the same one that got built?". The checksum on the website verifies that the file you're downloading is the one we published. But how do people know the file we published is the one we built?
This sort of goes into the whole issue of reproducible builds, which is something that we don't do, and is pretty hard to do. But a really easy extra step we can do here is output the generated SHA256 sum to the build log, so that curious people can at least verify that the image built in GitHub actions is the same one we publish to the website.