Skip to content

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 04 Jul 10:36
Immutable release. Only release title and notes can be modified.
cdb919c

What's Changed

  • ci: SHA-pin all actions, keep client symbols, fix reproducible-build … by @zR-JB in #26

Full Changelog: v0.1.0...v0.1.1

⚠️ Windows Defender warnings & verifying this release

Windows may flag the native go TUI client: graphite-meter-client.exe (e.g. Trojan:Win32/Wacatac.C!ml or a SmartScreen prompt). This is most likely a false positive — Defender's ML heuristics routinely flag unsigned Go binaries with no download history, and this project has no code-signing certificate. Don't take that on trust: this release is bit-for-bit reproducible, so you can verify it yourself.

1. Verify your download

Checks the archive wasn't corrupted or swapped in transit (checksums.txt covers the archives):

# Linux / macOS
sha256sum -c checksums.txt --ignore-missing
# Windows — compare against the matching line in checksums.txt
Get-FileHash .\graphite-meter-client_0.1.1_windows_amd64.zip -Algorithm SHA256

2. Rebuild from source and compare

Proves the binary contains exactly the tagged source. Works from any OS (Go cross-compiles deterministically); needs only Git and Go. GOTOOLCHAIN pins the exact release compiler — a different Go version legitimately changes the bytes. core.autocrlf=false and the clean-tree check matter: any modification flips the embedded vcs.modified flag and the hash.

# Linux / macOS
git clone -c core.autocrlf=false https://github.com/zR-JB/graphite-meter
cd graphite-meter && git checkout v0.1.1 && cd go
git status --porcelain   # must print nothing
GOTOOLCHAIN=go1.26.4 CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath \
  -ldflags "-X github.com/zR-JB/graphite-meter/go/internal/goclient.Version=0.1.1" \
  -o graphite-meter-client.exe ./cmd/graphite-meter-client
sha256sum graphite-meter-client.exe
# Windows
git clone -c core.autocrlf=false https://github.com/zR-JB/graphite-meter
cd graphite-meter; git checkout v0.1.1; cd go
git status --porcelain   # must print nothing
$env:GOTOOLCHAIN="go1.26.4"; $env:CGO_ENABLED="0"; $env:GOOS="windows"; $env:GOARCH="amd64"
go build -trimpath -ldflags "-X github.com/zR-JB/graphite-meter/go/internal/goclient.Version=0.1.1" -o graphite-meter-client.exe ./cmd/graphite-meter-client
Get-FileHash .\graphite-meter-client.exe -Algorithm SHA256

Compare against the binary extracted from the release archive (hash the binary, not the zip/tar.gz — archives embed timestamps and never reproduce). Expected hashes for v0.1.1:

7ec6abba846dcb02e58c602097779c765f4d707364f117b900c06e6ec379e018  windows/amd64  graphite-meter-client.exe
302637289ee7bb84773e6f64a9e300a9afb8278856ee7d49272161272e0fb060  linux/amd64    graphite-meter-client
d1756f9c91a6c5c432634e1ffc08ac50d003113b83f9d5afea71c4cf7891fcd2  linux/arm64    graphite-meter-client
347709f591330543e1ab0eb5da83eb88f1aad246679f08d56881443a08442cd0  darwin/amd64   graphite-meter-client
386c2ace0c26beb7d14184050c10c9435b3bf464187cc1f747c272e92a7708c2  darwin/arm64   graphite-meter-client

For other platforms, change GOOS/GOARCH and drop the .exe. If a hash differs, go version -m <binary> prints every build input (compiler, vcs.revision, vcs.modified, all dependency checksums) — the differing line is your explanation.

3. Audit the code and dependencies

The client is small: go/cmd/graphite-meter-client + go/internal/goclient — no os/exec, no telemetry, no network destination beyond the server URL you pass it. Four direct dependencies (Charm Bubble Tea TUI stack, coder/websocket, santhosh-tekuri/jsonschema), all hash-pinned in go/go.sum and verified against Go's public checksum transparency log on every build. cd go && GOOS=windows go mod why -m <module> explains why any dependency is present. The pipeline (release.yml) uses SHA-pinned actions and only publishes tags merged to main.