DEV Community

Shunsuke Suzuki
Shunsuke Suzuki

Posted on

Checksum Verification by aqua

In this blog post I introduce aqua's Checksum Verification.

https://aquaproj.github.io/docs/reference/checksum/

aqua is a declarative CLI Version Manager written in Go.

https://aquaproj.github.io/

From v1.20.0, aqua has supported Checksum Verification.
Checksum Verification is a feature verifying downloaded assets with checksum. Checksum Verification prevents the supply chain attack and allows you to install tools securely.

By default, aqua's Checksum Verification is disabled. To enable it, please add the configuration to aqua.yaml.

checksum:
  enabled: true
registries:
  - type: standard
    ref: v3.90.0 # renovate: depName=aquaproj/aqua-registry
packages:
  - name: golangci/golangci-lint@v1.46.2
Enter fullscreen mode Exit fullscreen mode

aqua creates or updates a file aqua-checksums.json in the same directory as aqua.yaml.

e.g. aqua-checksums.json

{
  "checksums": [
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-amd64.tar.gz",
      "checksum": "20cd1215e0420db8cfa94a6cd3c9d325f7b39c07f2415a02d111568d8bc9e271",
      "algorithm": "sha256"
    },
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-arm64.tar.gz",
      "checksum": "cabb1a4c35fe1dadbe5a81550a00871281a331e7660cd85ae16e936a7f0f6cfc",
      "algorithm": "sha256"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Basically, you don't have to edit this file manually, because this is updated by aqua.

Many tools publish checksum files, so aqua gets checksums from them.

e.g.

aqua update-checksum command

You can create or update aqua-checksums.json without installing tools by aqua update-checksum command.

$ aqua update-checksum
Enter fullscreen mode Exit fullscreen mode

By default, aqua update-checksum gets checksums from each tool's checksum files (e.g. GitHub CLI), so it can't get checksums if no checksum file of the package is released.

If -deep option is set, aqua update-checksum downloads assets to calculate checksums.

$ aqua update-checksum -deep
Enter fullscreen mode Exit fullscreen mode

Autoupdate aqua-checksums.json by GitHub Actions

You can autoupdate aqua-checksums.json by GitHub Actions. Please see the example.

https://github.com/aquaproj/example-update-checksum

Getting Started

Please see Getting Started.

Summary

In this blog post I've introduced aqua's Checksum Verification.
Checksum Verification is very important to install tools securely.
This feature is disabled by default, so please enable it.
In this blog I haven't described the detail, so please see the official document too.

https://aquaproj.github.io/docs/reference/checksum/

Top comments (0)

Read next

dotnetfullstackdev profile image

Underrated Key Features in C# ( AS, IS, NameOf, Pattern Matching)

DotNet Full Stack Dev -

jarvisscript profile image

What are your goals for week 45 of 2024?

Chris Jarvis -

devopsbymani profile image

Top 20 Kubernetes Commands You Should Know [Chapter 1]

mani1765 -

hankchiutw profile image

Copy as Link: A simple Chrome extension that copies the selected text as a link to the current page's URL

Hank Chiu -