Feature: Checksum validation on SDKMAN installation

[msgilligan]

Feature (was originally a Question) It would be nice if there were a simple and documented mechanism for verify the Sha256Sum of the install script at https://get.sdkman.io. I searched around a little (see below) and didn't find anything.

Is there a simple mechanism? If so where is it documented?

Something along the lines of:

curl -s "https://get.sdkman.io" > install_sdkman.sh    
sha256sum install_sdkman.sh
# compare to ??

[Edited: was originally a question]

My homework:

• [x] I have checked the documentation
• [x] I have done a quick search in past issues or Stack Overflow for similar problems
• [ ] I have brought up a conversation in the Slack User Issues Channel

[marc0der]

Wouldn't it make more sense to get a checksum on the SDKMAN zip dist instead? The install script is in clear text and is only responsible for unpacking the zip distribution on your machine.

[msgilligan]

Wouldn't it make more sense to get a checksum on the SDKMAN zip dist instead?

Yes. That sounds right to me. Is this documented somewhere? Did I miss it?

[marc0der]

This doesn't exist yet, but given that we use jreleaser and that SDKMAN is now itself an SDK, it makes great sense. Happy for you to change this into a feature request.

[msgilligan]

This doesn't exist yet, but given that we use jreleaser and that SDKMAN is now itself an SDK, it makes great sense. Happy for you to change this into a feature request.

Will do.

[msgilligan]

I changed the title (and changed Question to Feature in the initial comment) is there anything else I need to do?

[aalmiray]

@marc0der currently the checksum resides inside a file named checksums_sha256.txt. This file collects checksums for all assets. Right now there's just one artifact. Another option is to publish checksums for individual files such that sdkman-cli-5.13.1.zip gets its checksum published as sdkman-cli-5.13.1.zip.sha256. JReleaser can do that of course.