Publish sha512 checksums of published artifacts #7908
Labels
feature-request
A feature should be added or improved.
installation
needs-review
This issue or pull request needs review from a core team member.
p2
This is a standard priority issue
Comments
arthurzenika
added
feature-request
|
Thanks @arthurzenika for the feature request! I will mark this for further review by the team. In the meantime others can add a 👍 to your post if also interested in seeing this feature. |
tim-finnigan
added
installation
needs-review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
For the artifacts published on https://awscli.amazonaws.com/ and referenced in the install documentation https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html it would be nice to have sha256 checksums that can be downloaded to check the integrity of the artifacts. This is complementary to the GPG checks that is encouraged as in some contexts it is simpler to check a sha256 fingerprint than a GPG signature.
Use Case
The context is for "distributions" or "installers" of awscli, such as asdf that can be improved by adding additional checks (important in contexts where SSL can't be trusted) see asdf-vm/asdf#1320 and for awscli specifically MetricMike/asdf-awscli#28
Proposed Solution
The signatures should be generated by the infrastructure generating the distribution of awscli, and probably published as separate files and maybe also published on github for cross reference.
Other Information
No response
Acknowledgements
CLI version used
1.27.139
Environment details (OS name and version, etc.)
Ubunutu
The text was updated successfully, but these errors were encountered: