From 68d26df46091e37e6e38d4702e67fa1f2ee558b9 Mon Sep 17 00:00:00 2001
From: JD Friedrikson <jd@conn.cx>
Date: Sat, 2 Mar 2019 17:06:03 -0500
Subject: [PATCH] Add checksums to release files

This is to address an unopened issue similar to:
https://github.com/gruntwork-io/terragrunt/issues/610

The checksums of all binaries within `bin/` will be saved within
`SHA256SUMS`. The integrity of binaries can now be verified with this
command: `sha256sum --check --ignore-missing SHA256SUMS`.

In the future, Gruntwork should consider using a PGP key to
cryptographically sign this checksums file and to distribute the
signature along with the rest of the release files. Doing so will likely
require using private CI/CD infrastructure instead of CircleCI so that
Gruntwork may have full control over their private signing key.
---
 .circleci/config.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index a5b6132..9051afe 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -49,6 +49,7 @@ jobs:
       - checkout
       - attach_workspace:
           at: /go/src/github.com/gruntwork-io/health-checker
+      - run: cd bin && sha256sum * > SHA256SUMS
       - run: upload-github-release-assets bin/*
 
 workflows: