Feature request: Publish integrity checksum for the binaries.

[bponomarenko]

We do have a custom logic to download node-sass binaries with the help of SASS_BINARY_SITE environment variable, however there is not way to validate integrity of the binaries from GitHub releases page.

It would be really useful if you would publish integrity checksums along the binaries.

[xzyfer]

Could you please link to some related documentation on how?

On Wed, 3 Jun 2020, 10:59 pm Borys Ponomarenko, notifications@github.com wrote:

We do have a custom logic to download node-sass binaries with the help of SASS_BINARY_SITE environment variable, however there is not way to validate integrity of the binaries from GitHub releases page.

It would be really useful if you would publish integrity checksums along the binaries.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sass/node-sass/issues/2930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAENSWBLFTV2LLRJDGNDCGDRUZCJ3ANCNFSM4NRUSPVA .

[bponomarenko]

It can be similar to what npm does. Any generated package-lock.json file includes path to the package's tgz file together with integrity checksum: https://github.com/sass/node-sass-middleware/blob/master/package-lock.json#L10

The exact implementation for the file hash generation will depend on the platform and language, but here is an example on how to do that from command line on linux: https://linux.die.net/man/1/sha512sum

Having a single table with the binary name and binary integrity hash, published in multiple channels (not only GitHub releases) would be helpful.

[bponomarenko]

Here is another example on how Node.js publishes their binaries: https://nodejs.org/download/release/latest-v14.x/ You can see SHASUMS256.txt file next to the binaries itself with the integrity hashes.