Checksum for all files

[PizBernina]

Summary

Hi, can you please start adding checksums for all files. I saw that the latest release has one but not for the source code.

Thanks for considering.

Problem Definition

For security reasons it would make sense to have the checksum for all uploaded files within a release.

Proposal

Add checksum of all files in checksums.txt

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[rootulp]

Thanks for opening the issue @PizBernina !

For security reasons it would make sense to have the checksum for all uploaded files within a release.

Can you please elaborate on the security reason? The original source code isn't uploaded within a release.

Add checksum of all files in checksums.txt

Are you aware of other projects that do this and which tools they use? For context, we use GoReleaser checksums to upload the checksums.txt (example on v1.0.0-rc17) but I don't immediately see an option to add a checksum for ALL files in the repo.

[PizBernina]

Can you please elaborate on the security reason? The original source code isn't uploaded within a release.

Due diligence when using downloaded source code

Are you aware of other projects that do this and which tools they use? For context, we use GoReleaser checksums to upload the checksums.txt (example on v1.0.0-rc17) but I don't immediately see an option to add a checksum for ALL files in the repo.

On the example of v1.0.0-rc17, adding the checksum of the Source code archive (tar.gz) to your .txt file would do it. GoReleaser is fine.

Not sure what tools these projects use but it looks sufficient to me:
Teku (client for Ethereum) does it this way (within Downloads): https://github.com/Consensys/teku/releases/tag/23.9.1
Moobeam (Polkadot client) uses a json for it (within assets): https://github.com/moonbeam-foundation/moonbeam/releases/tag/runtime-2402
Polkadot uses a .sha file within assets for different files: https://github.com/paritytech/polkadot-sdk/releases/tag/polkadot-v1.1.0

[PizBernina]

Looks good now on the latest release for celestia-app but for the celestia-node it does not.

[rootulp]

Hmm can you please elaborate? We haven't changed the Goreleaser config to create a checksum for all files. It looks like it only creates a checksum per pre-built binary. In other words: https://github.com/celestiaorg/celestia-app/releases/tag/v1.1.0 has a checksums.txt that looks like:

01052cb793c3cca913cfa2ac434752c48c9ed57b761d71444495e54b9f15be39  celestia-app_Linux_arm64.tar.gz
1e84a6317701b3140dd2f6367778f78bccf4d41aa47f7facc9df5258772f4f0f  celestia-app_Darwin_x86_64.tar.gz
7b778945360d5af2e08a28fca5435441e58ec8a8a72413c194421682682adfe8  celestia-app_Darwin_arm64.tar.gz
b1514768cf919d7d6fdc3b26dcd0a56c39ebd3a84ec77b7ffe2e83e7961b0a8e  celestia-app_Linux_x86_64.tar.gz

and I thought this issue requested all source files to be present in the checksums.txt

[PizBernina]

@rootulp yes, all. But I gave up on that and use the tar.gz now

[rootulp]

Teku (client for Ethereum) does it this way (within Downloads): https://github.com/Consensys/teku/releases/tag/23.9.1

The tar.gz and .zip contain all the .jars but I don't see the source files.

[PizBernina]

zip (sha256: 8191a3447ba58e8a07d6f938e69324a6bf812fb6e4b6f07e1a648b480af7eb15)
This what I mean I would like to have.

[rootulp]

That zip doesn't appear to contain all the source files, it only contains the .jars. If it contains all the source files, can you point me to this file's location in the zip?

On second thought, I'm digressing from the original issue and it's probably not worth investigating Teku's specific implementation of this. I still don't quite understand why a checksum needs to exist for all the source files.