Hi Troy, Assuming you're downloading a specific release, I'd recommend checking the hash against a known-good hash, with a command like:
echo 'b28054a7a2bfea42bfc392c8d009630d94d72e8ce86a23ad6f18b5e72574064f capnproto-c++-0.9.0.tar.gz' | sha256sum -c Whenever you update to a newer version, you'd update the hash. I'm not against also signing releases with an asymmetric key, but I don't think I'll have time to set up the infrastructure for that any time soon, sorry. -Kenton On Thu, Aug 19, 2021 at 12:05 AM Troy Farrell <troyjfarr...@gmail.com> wrote: > > Hello everyone, > > I am using Cap'n Proto in a Sandstorm project. As part of the build > process, a script downloads and builds the Cap'n Proto source from > capnproto.org. I would like to have a way to verify that the file I've > downloaded matches what was released. Would the release manager (Kenton?) > please consider posting signatures or hashes for the releases? > > Thanks for Cap'n Proto (and Sandstorm)! > Troy > > -- > You received this message because you are subscribed to the Google Groups > "Cap'n Proto" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to capnproto+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/capnproto/5284d2f4-0912-4855-ab09-ddd2eaa5cb4cn%40googlegroups.com > <https://groups.google.com/d/msgid/capnproto/5284d2f4-0912-4855-ab09-ddd2eaa5cb4cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Cap'n Proto" group. To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/CAJouXQnDRc%2B7Bu8R7yUT1JtJfdmZHAgfiK6X%3DnqkXx3fCoahwA%40mail.gmail.com.
