sha256sums for kind binaries #2331
Comments
cokegen
added
the
kind/feature
|
We can and should definitely add shasums to the binaries so download integrity can be checked. I don't think the Kubernetes project currently has a solution for signing, if/when it does we'll follow suit here. kind binary builds should be reproducible at least though, so anyone can vet that the binary + sha reflects the sources fairly easily (clone the sources, run the build and compare, they should match, if not that's a regression we should fix). This should make a pretty good starter issue for anyone interested, basically update this script which we run as part of the release process to produce a Then when we release these will be alongside the binary outputs and we'll upload them as well /help |
|
@BenTheElder: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
sig/testing
|
/assign |
|
hello @viveksyngh is there a readme or some place where the sha256sum/sha512sum are published? like from kubernetes where the sha512 sum are in there readme file? https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md thanks |
|
They're alongside the release binaries. See "assets" at the bottom of e.g. https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0, which is standard for github hosted releases. |
What would you like to be added: sha256sums / gpg signatures for kind binaries
Why is this needed: some basic form of verification at least for the kind binaries would be good to have, hashes, gpg signatures, etc.
The text was updated successfully, but these errors were encountered: