-
Notifications
You must be signed in to change notification settings - Fork 137
Closed
Labels
area-release-infraRelease infrastructure owned by .NET Product ConstructionRelease infrastructure owned by .NET Product Construction
Description
Describe the Problem
I can now download full sources from the VMR:
Unfortunately, if I pass along the tarball to someone, there's no way for them to verify that the download is authentic and I didn't tamper with it.
Describe the Solution
Source-build should publish checksums (sha512, or similar) for release assets, similar to dotnet/installer#15803
As a further enhancement, gpg signatures would be even better, since they would guarantee that the tarball is a blessed and official release without any tampering (even, say GitHub staff, Microsoft staff other than those authorized to handle releases).
Additional Context
This ties into https://learn.microsoft.com/en-us/nuget/concepts/security-best-practices and https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
crummel, premun, mirespace and sbomer
Metadata
Metadata
Assignees
Labels
area-release-infraRelease infrastructure owned by .NET Product ConstructionRelease infrastructure owned by .NET Product Construction
Type
Projects
Status
Done