Signing releases

33 views
Skip to first unread message

Troy Farrell

unread,
Aug 19, 2021, 1:05:53 AM8/19/21
to Cap'n Proto

Hello everyone,

I am using Cap'n Proto in a Sandstorm project.  As part of the build process, a script downloads and builds the Cap'n Proto source from capnproto.org.  I would like to have a way to verify that the file I've downloaded matches what was released.  Would the release manager (Kenton?) please consider posting signatures or hashes for the releases?

Thanks for Cap'n Proto (and Sandstorm)!
Troy

Kenton Varda

unread,
Aug 19, 2021, 10:28:32 AM8/19/21
to Troy Farrell, Cap'n Proto
Hi Troy,

Assuming you're downloading a specific release, I'd recommend checking the hash against a known-good hash, with a command like:

echo 'b28054a7a2bfea42bfc392c8d009630d94d72e8ce86a23ad6f18b5e72574064f  capnproto-c++-0.9.0.tar.gz' | sha256sum -c

Whenever you update to a newer version, you'd update the hash.

I'm not against also signing releases with an asymmetric key, but I don't think I'll have time to set up the infrastructure for that any time soon, sorry.

-Kenton

--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/5284d2f4-0912-4855-ab09-ddd2eaa5cb4cn%40googlegroups.com.

Troy Farrell

unread,
Aug 20, 2021, 11:59:46 AM8/20/21
to Cap'n Proto
Kenton wrote:
Hi Troy,

Assuming you're downloading a specific release, I'd recommend checking the hash against a known-good hash, with a command like:

echo 'b28054a7a2bfea42bfc392c8d009630d94d72e8ce86a23ad6f18b5e72574064f  capnproto-c++-0.9.0.tar.gz' | sha256sum -c

This is what I'm currently doing for Rust, via Rustup-init.  If you don't mind, I'll just ask the list for the SHA256 of future releases if it's not included in the release announcement.
 
Whenever you update to a newer version, you'd update the hash.

I'm not against also signing releases with an asymmetric key, but I don't think I'll have time to set up the infrastructure for that any time soon, sorry.

 I totally understand.  I haven't signed a release in ages.

Thanks!
Reply all
Reply to author
Forward
0 new messages