are there checksums (for releases) ?
ilia-shipitsin opened this issue · comments
ilia-shipitsin commented
Hello,
github runner images team here.
we are looking for securing supply chains when adding software to CI images.
are there checksum available ? or maybe some recommended validation approach.
thanks!
Chris Smowton commented
Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?
ilia-shipitsin commented
Aditya Sharad commented
@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?
- a single checksums file containing checksums and filenames for each of the 4 files, on separate lines (this is what the
gh
CLI does for example) - one checksum file for each artifact
Josh Soref commented
The standard unix model is one signature per file, since it enables wget $url{,.sig}
.