Add checksums (SHA256) to GitHub releases for all files #29656
Comments
microsoft-github-policy-service
bot
added
the
customer-reported
|
Thank you for opening this issue, we will look into it. |
yonzhan
added
feature-request
Azure CLI Team
|
Hi @o-l-a-v, I noticed https://github.com/Beaver-Notes/Beaver-Notes/releases/tag/3.5.0 puts SHA256s in the release description:
https://github.com/PowerShell/PowerShell/releases/tag/v7.4.4 uses a different format:
How does Scoop extract this information from plaintext? |
|
I have a PR on Beaver Notes for Scoop that shows the info Scoop needs to fetch the SHA256 checksums: Here's the manifest for pwsh, looks like it fetches SHA256 info from release info too: Here's info on the Scoop app manifest: Here's Scoop main manifest repos, see if you can find more examples there:
Edit: And I believe the logic for getting new versions is found inside here: Which calls |
|
Thanks @o-l-a-v, but I think you misunderstand my question. In other words, how is BTW, I noticed Scoop computes the SHA256 of https://azcliprod.blob.core.windows.net/zip/azure-cli-2.63.0-x64.zip by itself: https://github.com/ScoopInstaller/Main/blob/75c4fa28f734a4849633a8bd920013bf7d93911a/bucket/azure-cli.json#L13 |
|
As the feature request states: Scoop can calculate SHA256 by downloading the artifact. But if checksum is already made available and Scoop is told were to look, it does not have to 1) download the artifact and 2) calculate hash. Scoop has logic to autoupdate manifests. If we add hash ( {
...
"autoupdate": {
"architecture": {
"64bit": {
"url": "https://github.com/Beaver-Notes/Beaver-Notes/releases/download/$version/Beaver-notes.$version.portable.exe#/dl.7z"
},
"arm64": {
"url": "https://github.com/Beaver-Notes/Beaver-Notes/releases/download/$version/Beaver-notes.$version.portable.arm64.exe#/dl.7z"
}
},
"hash": {
"url": "https://github.com/Beaver-Notes/Beaver-Notes/releases/tag/$version",
"regex": "$sha256.*?$basename"
}
}
}And for pwsh https://github.com/ScoopInstaller/Main/blob/master/bucket/pwsh.json: {
...
"autoupdate": {
"architecture": {
"64bit": {
"url": "https://github.com/PowerShell/PowerShell/releases/download/v$version/PowerShell-$version-win-x64.zip"
},
"32bit": {
"url": "https://github.com/PowerShell/PowerShell/releases/download/v$version/PowerShell-$version-win-x86.zip"
},
"arm64": {
"url": "https://github.com/PowerShell/PowerShell/releases/download/v$version/PowerShell-$version-win-arm64.zip"
}
},
"hash": {
"url": "$baseurl/hashes.sha256"
}
}
} |
|
There are som You could probably also just add checksum files to the GitHub release instead of adding it as plain text, if you prefer that. |
|
Thank you for the detailed explanation. BTW, we can reuse the code from https://github.com/PowerShell/PowerShell/blob/a1774fd9332925f7635e0832b64b2d158e3a3745/.pipelines/templates/release-githubtasks.yml#L88-L104 |
|
I noticed today that Python provides very convenient functions to compute file hashes: https://docs.python.org/3/library/hashlib.html#file-hashing import io, hashlib, hmac
with open(hashlib.__file__, "rb") as f:
digest = hashlib.file_digest(f, "sha256")
digest.hexdigest() |
|
Our release pipeline is on Linux, so the below command will do the job:
According to https://manpages.ubuntu.com/manpages/noble/man1/sha256sum.1.html
But it is still better to specify |
|
@o-l-a-v, we have updated the latest release (2.67.0) to include SHA256 hashes for the release artifacts in the release description: https://github.com/Azure/azure-cli/releases/tag/azure-cli-2.67.0 This is only experimental, so please let us know if this suits your needs. If you want us to change its format, feel free to let us know. 😊 Also, do you want us to publish a |
|
Nice! That should make it easy for both humans and automation like Scoop to find the checksums. I think I prefer one |
|
I am glad it works for you. 😊 Actually, I noticed https://github.com/Beaver-Notes/Beaver-Notes/releases doesn't have a dedicated file for hashes.
Does putting hashes only in release description work for you? Or is it still necessary for us to release dedicated hash file(s)? Also, there doesn't seem to be an industry standard on what should be inside that file. |
|
Hashes in description only works. If creating checksum file(s) it'd be great it they work with sha256sum:
Would be great if Microsoft had a standard across projects which can be managed by package managers, like Azure CLI, Bicep, PowerShell etc. Or if the GitHub releases API added checksum to each artifact. Edit: Example on how to mimic SHA256SUM on Windows with PowerShell: # Assets
$FilePath = [string] 'C:\Users\olavb\Desktop\azure-cli-2.67.0-x64.zip'
$OutputFilePath = [string] $FilePath + '.sha256'
# Using PowerShell native
<#
Examples where it's used:
* <https://github.com/pbek/QOwnNotes/blob/main/build-systems/github/windows/build-zip.ps1>
#>
Out-File -Encoding 'utf8' -Force -FilePath $OutputFilePath -InputObject (
[string]::Concat(
(Get-FileHash -Path $FilePath -Algorithm 'SHA256').'Hash',
' *',
$([System.IO.FileInfo]($FilePath)).'Name'
)
) |
|
@o-l-a-v, thanks for the additional information. As I mentioned in #29656 (comment), our pipeline is on a Linux agent, so a single There is even no convention on the hash file name: As "Hashes in description only works", I will keep it this way. If a dedicated hash file is needed someday, please don't hesitate to create a new issue. |
|
Perfect, thanks @jiasli. 😊 |
Related command
Add checksums (SHA256) to releases for all files, be it files hosted on GitHub (MSI, source code), and files from
azcliprod.blob.core.windows.net(ZIP, MSI etc.).Is your feature request related to a problem? Please describe.
azcliprod.blob.core.windows.netis so slow.Describe the solution you'd like
Add a list to GitHub releases with SHA256, like Beaver Notes does:
Describe alternatives you've considered
None.
Additional context
None.
The text was updated successfully, but these errors were encountered: