Skip to content

[Feature]: Digests for URL verification #699

New issue
New issue
Closed
#701
Closed
[Feature]: Digests for URL verification#699
#701
Assignees
ascopes
Labels
good first issueGood issues for new contributors to pick up.new featureA new user-facing feature.securityIssues relating to security or the security policy itself.
Milestone
 
v3.5.x
@ascopes

Description

@ascopes
ascopes
opened on Jun 2, 2025

Discussed in #498

Originally posted by ascopes December 10, 2024

Brief description

Be able to provide an optional SHA1/MD5/SHA256 digests in binaryUrlPlugins.

Aims and goals

Improve the stance on security to allow users to detect if their dependencies have changed without them realising.

Workarounds

Store the artifacts in a well-known and trusted registry.

In scope

  • Digests for URL plugins.
  • Digests for protoc when provided as a URL.

Out of scope

  • Digital signature detection and verification across various binary formats.
  • GPG verification (this needs more research and should be implemented separately in the future if requested).

Metadata

Metadata

Assignees

Labels

good first issueGood issues for new contributors to pick up.new featureA new user-facing feature.securityIssues relating to security or the security policy itself.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions