are there checksums (for releases) ?

Question

are there checksums (for releases) ?

ilia-shipitsin opened this issue 8 months ago · comments

ilia-shipitsin commented 8 months ago

Hello,

github runner images team here.
we are looking for securing supply chains when adding software to CI images.

are there checksum available ? or maybe some recommended validation approach.

thanks!

Chris Smowton · Answer 1 · Fri Sep 15 2023 19:42:06 GMT+0800 (China Standard Time)

Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?

ilia-shipitsin · Answer 2 · Fri Sep 15 2023 20:21:04 GMT+0800 (China Standard Time)

we download codeql bundles using https://github.com/actions/runner-images/blob/main/images/win/scripts/Installers/Install-CodeQLBundle.ps1

files like "https://github.com/github/codeql-action/releases/download/$($Bundle.TagName)/codeql-bundle.tar.gz"

Aditya Sharad · Answer 3 · Sat Sep 23 2023 06:01:24 GMT+0800 (China Standard Time)

@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?

a single checksums file containing checksums and filenames for each of the 4 files, on separate lines (this is what the gh CLI does for example)
one checksum file for each artifact

Josh Soref · Answer 4 · Wed Feb 14 2024 05:25:59 GMT+0800 (China Standard Time)

The standard unix model is one signature per file, since it enables wget $url{,.sig}.