Closed mp4096 closed 7 years ago
I will take this.
Do you know how to coordinate between travis and appveyor? Because I don't :)
Well, I think there are two approaches. The first one is an asynchronous YOLO approach, where Travis and AppVeyor have an after_deploy
script, which appends the hashes to the current release message. Sure, in this case you don't have any guarantee about the order in which hashes are appended. And you have a nice possibility of a (kind of) race condition, hence YOLO.
The second one would be to use AWS Lambda + Step Functions + S3 in order to make it 100% correctly, i.e.:
What do you think about the approach taken here (note the *.DIGEST
files): https://github.com/keepassxreboot/keepassxc/releases ?
We won't have the race condition and it's perfectly validatable using sha512sum -c example.DIGEST
There is also the built-in Get-FileHash for PoSh but from your list it only supports SHA-512.
Oh, this is a great idea! Still a little bit heartbreaking to put chipper
to rest. I'll do it in Travis and see how far can I go in AppVeyor.
As for the list of my hash functions: I think it's realistic to expect that a user has only SHA2-256 / SHA2-512 installed. Everything else looks really bad (fun fact: SHA3 support first appeared in Python 3.6!).
Apart from all of this: After some thought, I think it's kind of useless to add hashes to GitHub Releases. If someone would have compromised GitHub Releases and the uploaded binaries there, they would be certainly smart enough to replace the hash digests.
So it's probably a good idea to use a second publishing outlet, e.g. Twitter.
@syxolk Could you please look into digest generation with PowerShell? I just discovered that my Win7 box has only PoSh 2.0 and it doesn't support Get-FileHash
.
I've done the Travis stuff in dev-digest
, so you should probably start there. Thanks!
I want to provide SHA-512, SHA3-512 and blake2 hashes for each binary we deploy to GitHub releases.
Here is an example: PowerShell releases
Basically we have to generate the hashes using openSSL or something like this and append them to the release description => we have to dig into GitHub API. Here's the first lead.