DEV Community

Shunsuke Suzuki
Shunsuke Suzuki

Posted on

Checksum Verification by aqua

In this blog post I introduce aqua's Checksum Verification.

https://aquaproj.github.io/docs/reference/checksum/

aqua is a declarative CLI Version Manager written in Go.

https://aquaproj.github.io/

From v1.20.0, aqua has supported Checksum Verification.
Checksum Verification is a feature verifying downloaded assets with checksum. Checksum Verification prevents the supply chain attack and allows you to install tools securely.

By default, aqua's Checksum Verification is disabled. To enable it, please add the configuration to aqua.yaml.

checksum:
  enabled: true
registries:
  - type: standard
    ref: v3.90.0 # renovate: depName=aquaproj/aqua-registry
packages:
  - name: golangci/golangci-lint@v1.46.2
Enter fullscreen mode Exit fullscreen mode

aqua creates or updates a file aqua-checksums.json in the same directory as aqua.yaml.

e.g. aqua-checksums.json

{
  "checksums": [
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-amd64.tar.gz",
      "checksum": "20cd1215e0420db8cfa94a6cd3c9d325f7b39c07f2415a02d111568d8bc9e271",
      "algorithm": "sha256"
    },
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-arm64.tar.gz",
      "checksum": "cabb1a4c35fe1dadbe5a81550a00871281a331e7660cd85ae16e936a7f0f6cfc",
      "algorithm": "sha256"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Basically, you don't have to edit this file manually, because this is updated by aqua.

Many tools publish checksum files, so aqua gets checksums from them.

e.g.

aqua update-checksum command

You can create or update aqua-checksums.json without installing tools by aqua update-checksum command.

$ aqua update-checksum
Enter fullscreen mode Exit fullscreen mode

By default, aqua update-checksum gets checksums from each tool's checksum files (e.g. GitHub CLI), so it can't get checksums if no checksum file of the package is released.

If -deep option is set, aqua update-checksum downloads assets to calculate checksums.

$ aqua update-checksum -deep
Enter fullscreen mode Exit fullscreen mode

Autoupdate aqua-checksums.json by GitHub Actions

You can autoupdate aqua-checksums.json by GitHub Actions. Please see the example.

https://github.com/aquaproj/example-update-checksum

Getting Started

Please see Getting Started.

Summary

In this blog post I've introduced aqua's Checksum Verification.
Checksum Verification is very important to install tools securely.
This feature is disabled by default, so please enable it.
In this blog I haven't described the detail, so please see the official document too.

https://aquaproj.github.io/docs/reference/checksum/

Top comments (0)

Read next

misolainthecloud profile image

Visualise Netflix Data using Amazon QuickSight.

Kemisola -

misolainthecloud profile image

Cloud Networking - Build a Virtual Private Cloud

Kemisola -

adityabhuyan profile image

How to Design a CPU from Scratch

Aditya Pratap Bhuyan -

anil_csimplifyit_905c profile image

The Evolution of AI in Software Testing: From Automation to Intelligence

Anil @ C Simplify IT -