Provide checksums of or sign releases #2796
Comments
|
Hi @RemcodM ! Thanks for raising this. Making verifying agent binaries easier is something that's been on our mind for a while and we'd like to make it better. I think we could easily add a "sha256sums" file to each release. The checksum files in #500 should still be updated too, e.g.: https://download.buildkite.com/agent/stable/latest/buildkite-agent-darwin-arm64.sha256 (Note we don't produce darwin-386 binaries anymore, that were shown in #500) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
For more automation in our workflow of updating our infrastructure with the newest Buildkite Agents, we would like to automatically check the integrity of the downloaded artifacts.
Describe the solution you'd like
It seems that in the past, it might have been possible to get sha256 sums via #500, however, this does not seem to be possible anymore (or is it?). Something like providing checksums would already be sufficient, even nicer would it be if the builds could be signed, for example using PGP.
Describe alternatives you've considered
At this point, we calculate the checksums ourselves to ensure that the artifacts doesn't change from build to build, but that is a lot of manual work that is almost impossible to automate correctly. Provided checksums also give more confidence that the artifact was uploaded correctly from your side.
Additional context
The text was updated successfully, but these errors were encountered: