Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Feature request: Publish integrity checksum for the binaries. #2930

Open
bponomarenko opened this issue Jun 3, 2020 · 3 comments
Open

Feature request: Publish integrity checksum for the binaries. #2930

bponomarenko opened this issue Jun 3, 2020 · 3 comments

Comments

@bponomarenko
Copy link

We do have a custom logic to download node-sass binaries with the help of SASS_BINARY_SITE environment variable, however there is not way to validate integrity of the binaries from GitHub releases page.

It would be really useful if you would publish integrity checksums along the binaries.

@bponomarenko bponomarenko changed the title Publish integrity checksum for the binaries. Feature request: Publish integrity checksum for the binaries. Jun 3, 2020
@xzyfer
Copy link
Contributor

xzyfer commented Jun 3, 2020 via email

@bponomarenko
Copy link
Author

It can be similar to what npm does. Any generated package-lock.json file includes path to the package's tgz file together with integrity checksum: https://github.com/sass/node-sass-middleware/blob/master/package-lock.json#L10

The exact implementation for the file hash generation will depend on the platform and language, but here is an example on how to do that from command line on linux: https://linux.die.net/man/1/sha512sum

Having a single table with the binary name and binary integrity hash, published in multiple channels (not only GitHub releases) would be helpful.

@bponomarenko
Copy link
Author

Here is another example on how Node.js publishes their binaries: https://nodejs.org/download/release/latest-v14.x/
You can see SHASUMS256.txt file next to the binaries itself with the integrity hashes.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants