Skip to content

Downloads should have a way to verify that they are official/authentic  #3316

@omajid

Description

@omajid

Describe the Problem

I can now download full sources from the VMR:

image

Unfortunately, if I pass along the tarball to someone, there's no way for them to verify that the download is authentic and I didn't tamper with it.

Describe the Solution

Source-build should publish checksums (sha512, or similar) for release assets, similar to dotnet/installer#15803

As a further enhancement, gpg signatures would be even better, since they would guarantee that the tarball is a blessed and official release without any tampering (even, say GitHub staff, Microsoft staff other than those authorized to handle releases).

Additional Context

This ties into https://learn.microsoft.com/en-us/nuget/concepts/security-best-practices and https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

Metadata

Metadata

Assignees

Labels

area-release-infraRelease infrastructure owned by .NET Product Construction

Type

No type

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions