search

mp4096 / indentex

An indentation-based superset of LaTeX
MIT License
9 stars 2 forks source link

Provide hashes of the binary releases #33

Closed mp4096 closed 7 years ago

mp4096 commented 7 years ago

I want to provide SHA-512, SHA3-512 and blake2 hashes for each binary we deploy to GitHub releases.

Here is an example: PowerShell releases

Basically we have to generate the hashes using openSSL or something like this and append them to the release description => we have to dig into GitHub API. Here's the first lead.

mp4096 commented 7 years ago

I will take this.

syxolk commented 7 years ago

Do you know how to coordinate between travis and appveyor? Because I don't :)

mp4096 commented 7 years ago

Well, I think there are two approaches. The first one is an asynchronous YOLO approach, where Travis and AppVeyor have an after_deploy script, which appends the hashes to the current release message. Sure, in this case you don't have any guarantee about the order in which hashes are appended. And you have a nice possibility of a (kind of) race condition, hence YOLO.

The second one would be to use AWS Lambda + Step Functions + S3 in order to make it 100% correctly, i.e.:

  1. Travis and AppVeyor build the packages and compute their hashes
  2. These artifacts are deployed to some intermediate S3 staging bucket
  3. When all artifacts are available, they are appended to the GitHub release at the same time

serverless

syxolk commented 7 years ago

What do you think about the approach taken here (note the *.DIGEST files): https://github.com/keepassxreboot/keepassxc/releases ?

We won't have the race condition and it's perfectly validatable using sha512sum -c example.DIGEST

There is also the built-in Get-FileHash for PoSh but from your list it only supports SHA-512.

mp4096 commented 7 years ago

Oh, this is a great idea! Still a little bit heartbreaking to put chipper to rest. I'll do it in Travis and see how far can I go in AppVeyor.

As for the list of my hash functions: I think it's realistic to expect that a user has only SHA2-256 / SHA2-512 installed. Everything else looks really bad (fun fact: SHA3 support first appeared in Python 3.6!).

mp4096 commented 7 years ago

Apart from all of this: After some thought, I think it's kind of useless to add hashes to GitHub Releases. If someone would have compromised GitHub Releases and the uploaded binaries there, they would be certainly smart enough to replace the hash digests.

So it's probably a good idea to use a second publishing outlet, e.g. Twitter.

mp4096 commented 7 years ago

@syxolk Could you please look into digest generation with PowerShell? I just discovered that my Win7 box has only PoSh 2.0 and it doesn't support Get-FileHash.

I've done the Travis stuff in dev-digest, so you should probably start there. Thanks!