SHA-256 checksums file for each new release

[bryanburke]

Only similar issue I could find is #394, but that issue was closed a while back due to lack of OP reply.

I believe a file of release binary SHA-256 checksums (e.g., as generated by sha256sum) included in each new GitHub release would be helpful for automation.

For example, when pinning and installing a specific version of shfmt via a script in a CI pipeline, the DevOps engineer must currently pre-download the binary, calculate the checksum, and store it in the script or an env var. Ideally, the engineer could provide only the desired version to the script, which could then compare the downloaded binary against the published release checksum as a basic form of integrity checking.

Note that I am not asking the project to retrofit previous releases with checksums, only add them to future releases.

Thanks for your time and this incredible tool!

[mvdan]

Sure. Is there a standard way to do this with GitHub releases? As part of the release description, as extra downloads containing only the hash string, or perhaps as part of each filename like shfmt_v3.5.1_linux_amd64_hexhash?

[bryanburke]

The two most typical approaches I have seen are the following:

1. A single text file as an additional release artifact (usually named checksums.txt, sha256sum.txt, etc.) with one checksum per line.

   • Example contents:

     09f5ffef28309853265c4a98d0e56e1be522b6b402d8193594fd05103064fc6a  foo_v1.2.3_linux_amd64
     bb558b4638d76b2461f5cdeca98bc8b4ba29b652cfa1ca7662c82d15fd171063  foo_v1.2.3_linux_arm64
     ...

   • Example release: https://github.com/terraform-linters/tflint/releases/tag/v0.38.1

2. One text file per binary as additional release artifacts (usually named NAME_OF_BINARY.sha2, NAME_OF_BINARY.sha256, etc.) with only the checksum digest in each file.

   • Example contents:

     09f5ffef28309853265c4a98d0e56e1be522b6b402d8193594fd05103064fc6a

   • Example release: https://github.com/Azure/azure-functions-core-tools/releases/tag/4.0.4653

GoReleaser uses the first approach, for example: https://goreleaser.com/customization/checksum/

[mvdan]

Done; see https://github.com/mvdan/sh/releases/tag/v3.6.0. This is now part of my release build script, so it will be included in future releases.