In #34, we added the ability to validate a release asset by its checksum. But what to do about files downloaded straight from the repo? It seems the best we can do here is to validate the commit itself versus individual files, so one possibility is that fetch could be updated so that you can pass in both --tag and --commit-id and if the two don't match, fetch will fail. This will inoculate users against git tags whose associated git commit has been changed.
In #34, we added the ability to validate a release asset by its checksum. But what to do about files downloaded straight from the repo? It seems the best we can do here is to validate the commit itself versus individual files, so one possibility is that fetch could be updated so that you can pass in both
--tagand--commit-idand if the two don't match, fetch will fail. This will inoculate users against git tags whose associated git commit has been changed.