Skip to content

Release checksums on GitHub #23512

Release checksums on GitHub #23512
Oct 14, 2020 · 9 answers

Hi, how can I view the SHA256 checksum for a release on GitHub? I need such checksums for new easyconfig files in EasyBuild. Can’t find checksums anywhere! Thanks.

Hello and welcome to the community @Ghepardo.

GitHub doesn’t have built-in support for checksums in Releases. The author of the release would have to include that information in the release notes.

Let us know if you have more questions.

Replies

9 suggested answers

Hello and welcome to the community @Ghepardo.

GitHub doesn’t have built-in support for checksums in Releases. The author of the release would have to include that information in the release notes.

Let us know if you have more questions.

0 replies
Answer selected

Hi, thanks and noted, @lee_dohm.

Given that GitHub is a software repository, it is very strange that it does not enforce checksums for releases. Otherwise, how is any consumer of the software to have confidence that their copy of it has not been tampered with or damaged? This is a basic requirement for any respectable repository.

0 replies
Ghepardo:

Otherwise, how is any consumer of the software to have confidence that their copy of it has not been tampered with or damaged?

Traditional checksum systems don’t give any real evidence that the file downloaded has not been tampered with or damaged. It only signifies that the person who was able to modify two separate files on the same server was able to make them agree. There is no evidence available to the person downloading those two files that the person who last modified them is someone they trust. For example, Linux Mint was compromised in exactly this way.

In order to offer evidence that a file has not been tampered with or damaged, it would require a digital certificate as part of the file itself, signed with a key that can be verified by a trusted mechanism. The GitHub releases system works well with these kinds of protocols. When using one of these protocols, checksums are superfluous.

0 replies

Thanks @lee-dohm for your excellent observations, from which I have learned much.

0 replies

In my case, an installer file (70MB) takes forever to download from Amazon S3 (20KB/s) and it always times out before completion. I had to download it from other sources, but I want to verify that the downloaded file is identical to the release on Github.

Providing a hash of the release files would be valuable to many users.

0 replies

SHA256 is pretty solid and definitely not easily reproducible!
But besides security concerns, this is still used by many package managers for instance (Conda, Conan, Brew to name a few) so it seems natural to have it generated on upload, is this considered?

Thanks

0 replies

I also miss checksums.

If I would make one myself, maybe the file got corrupted while downloading it on my machine.
If I want to use the github API in an application, I need to verify, that the downloaded file is 1:1 the same on the github server.

0 replies

While there are still many attacks when sums are just published on the same site with the release, sums still do their job to prove that:

  • there was no man in the middle
  • file was not damaged due to software/connectivity issues

Moreover many package managers REQUIRE AND ENFORCE presence of checksums. If you want to download something in your automated builds you MUST specify checksum. Ignoring this just makes github and its flows extremely unfriendly to software engineers. Making this question as solved just show that github pays little attention to its users’ problems.

0 replies

I agree that checksums should be standard on GitHub releases, and there are multiple reasons to do so as well as ways to deal with the security weaknesses of doing so. However, I don’t think commenting here is going to do anything to encourage that or even likely be seen by anyone who can push to make that happen. I may be wrong, but I think the GitHub feedback is the place to do so, so I created an issue there. Everyone who agrees checksums are important and should be added should +1 that issue.

0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
7 participants