Correct way to validate the kubeseal tarball with Ansible

[fmunteanu]

Which component:
kubeseal

Describe the bug
I'm trying to validate with Ansible the kubeseal signature, what is the correct format to use? None of the checksum types provided by Ansible match the contents of your .sig file.

- name: Extract tarball
  ansible.builtin.get_url:
    url: https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.5/kubeseal-0.24.5-linux-arm64.tar.gz
    checksum: sha256:https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.5/kubeseal-0.24.5-linux-arm64.tar.gz.sig
    dest: /tmp
    owner: root
    group: root
    mode: '0644'

I checked for md5sum, sha1sum, sha224sum, sha256sum, sha384sum and sha512sum. The signature file has the string:

MEQCIBov/K3V06TADW+iboEdqaqYIulkkloGhqn/zuBzWj7QAiAoV4iov5zvZcpNAWxr5QRKSE1zU/h4hVsMOjNfKAb3fQ==

[alemorcuq]

Hi, @fmunteanu.

The .sig file contains the signature by Cosign. You can find the checksums for the different tarballs in the sealed-secrets_VERSION_checksums.txt file for each release. For example, the checksums for version 0.24.5 can be found here.

Regards,
Alejandro

[fmunteanu]

@alemorcuq would it be possible to separate each checksum into dedicated files, like other GitHub releases do?

Example:
https://github.com/cilium/hubble/releases/download/v0.12.3/hubble-linux-arm.tar.gz.sha256sum

The above format will also allow us to easily identify the required checksum validation.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[alemorcuq]

I'm not familiar with the Ansible way, you can easily check the checksum with sha256sum:

$ sha256sum -c sealed-secrets_0.25.0_checksums.txt --ignore-missing
kubeseal-0.25.0-linux-amd64.tar.gz: OK

Just make sure the checksums file and the tarball are in the same directory.