In this blog post I introduce aqua's Checksum Verification.
https://aquaproj.github.io/docs/reference/checksum/
aqua is a declarative CLI Version Manager written in Go.
From v1.20.0, aqua has supported Checksum Verification.
Checksum Verification is a feature verifying downloaded assets with checksum. Checksum Verification prevents the supply chain attack and allows you to install tools securely.
By default, aqua's Checksum Verification is disabled. To enable it, please add the configuration to aqua.yaml
.
checksum:
enabled: true
registries:
- type: standard
ref: v3.90.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: golangci/golangci-lint@v1.46.2
aqua creates or updates a file aqua-checksums.json
in the same directory as aqua.yaml
.
e.g. aqua-checksums.json
{
"checksums": [
{
"id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-amd64.tar.gz",
"checksum": "20cd1215e0420db8cfa94a6cd3c9d325f7b39c07f2415a02d111568d8bc9e271",
"algorithm": "sha256"
},
{
"id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-arm64.tar.gz",
"checksum": "cabb1a4c35fe1dadbe5a81550a00871281a331e7660cd85ae16e936a7f0f6cfc",
"algorithm": "sha256"
}
]
}
Basically, you don't have to edit this file manually, because this is updated by aqua.
Many tools publish checksum files, so aqua gets checksums from them.
e.g.
aqua update-checksum
command
You can create or update aqua-checksums.json
without installing tools by aqua update-checksum
command.
$ aqua update-checksum
By default, aqua update-checksum
gets checksums from each tool's checksum files (e.g. GitHub CLI), so it can't get checksums if no checksum file of the package is released.
If -deep
option is set, aqua update-checksum
downloads assets to calculate checksums.
$ aqua update-checksum -deep
Autoupdate aqua-checksums.json
by GitHub Actions
You can autoupdate aqua-checksums.json
by GitHub Actions. Please see the example.
https://github.com/aquaproj/example-update-checksum
Getting Started
Please see Getting Started.
Summary
In this blog post I've introduced aqua's Checksum Verification.
Checksum Verification is very important to install tools securely.
This feature is disabled by default, so please enable it.
In this blog I haven't described the detail, so please see the official document too.
Top comments (0)