Release checksums on GitHub

Hi, how can I view the SHA256 checksum for a release on GitHub? I need such checksums for new easyconfig files in EasyBuild. Can’t find checksums anywhere! Thanks.

Hello and welcome to the community @Ghepardo.

GitHub doesn’t have built-in support for checksums in Releases. The author of the release would have to include that information in the release notes.

Let us know if you have more questions.

1 Like

Hi, thanks and noted, @lee_dohm.

Given that GitHub is a software repository, it is very strange that it does not enforce checksums for releases. Otherwise, how is any consumer of the software to have confidence that their copy of it has not been tampered with or damaged? This is a basic requirement for any respectable repository.

1 Like

Traditional checksum systems don’t give any real evidence that the file downloaded has not been tampered with or damaged. It only signifies that the person who was able to modify two separate files on the same server was able to make them agree. There is no evidence available to the person downloading those two files that the person who last modified them is someone they trust. For example, Linux Mint was compromised in exactly this way.

In order to offer evidence that a file has not been tampered with or damaged, it would require a digital certificate as part of the file itself, signed with a key that can be verified by a trusted mechanism. The GitHub releases system works well with these kinds of protocols. When using one of these protocols, checksums are superfluous.

1 Like

Thanks @lee-dohm for your excellent observations, from which I have learned much.

1 Like

In my case, an installer file (70MB) takes forever to download from Amazon S3 (20KB/s) and it always times out before completion. I had to download it from other sources, but I want to verify that the downloaded file is identical to the release on Github.

Providing a hash of the release files would be valuable to many users.

SHA256 is pretty solid and definitely not easily reproducible!
But besides security concerns, this is still used by many package managers for instance (Conda, Conan, Brew to name a few) so it seems natural to have it generated on upload, is this considered?