Skip to content

Commit

Permalink
Add checksums to release files
Browse files Browse the repository at this point in the history 
This is to address an unopened issue similar to:
gruntwork-io/terragrunt#610

The checksums of all binaries within `bin/` will be saved within
`SHA256SUMS`. The integrity of binaries can now be verified with this
command: `sha256sum --check --ignore-missing SHA256SUMS`.

In the future, Gruntwork should consider using a PGP key to
cryptographically sign this checksums file and to distribute the
signature along with the rest of the release files. Doing so will likely
require using private CI/CD infrastructure instead of CircleCI so that
Gruntwork may have full control over their private signing key.
  • Loading branch information
JD Friedrikson committed Mar 2, 2019
1 parent db2d09f commit 68d26df
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ jobs:
- checkout
- attach_workspace:
at: /go/src/github.com/gruntwork-io/health-checker
- run: cd bin && sha256sum * > SHA256SUMS
- run: upload-github-release-assets bin/*

workflows:
Expand Down

0 comments on commit 68d26df

Please sign in to comment.