Release checksums on GitHub

Hi, how can I view the SHA256 checksum for a release on GitHub? I need such checksums for new easyconfig files in EasyBuild. Can’t find checksums anywhere! Thanks.

Hello and welcome to the community @Ghepardo.

GitHub doesn’t have built-in support for checksums in Releases. The author of the release would have to include that information in the release notes.

Let us know if you have more questions.

1 Like

Hi, thanks and noted, @lee_dohm.

Given that GitHub is a software repository, it is very strange that it does not enforce checksums for releases. Otherwise, how is any consumer of the software to have confidence that their copy of it has not been tampered with or damaged? This is a basic requirement for any respectable repository.

1 Like

Traditional checksum systems don’t give any real evidence that the file downloaded has not been tampered with or damaged. It only signifies that the person who was able to modify two separate files on the same server was able to make them agree. There is no evidence available to the person downloading those two files that the person who last modified them is someone they trust. For example, Linux Mint was compromised in exactly this way.

In order to offer evidence that a file has not been tampered with or damaged, it would require a digital certificate as part of the file itself, signed with a key that can be verified by a trusted mechanism. The GitHub releases system works well with these kinds of protocols. When using one of these protocols, checksums are superfluous.

1 Like

Thanks @lee-dohm for your excellent observations, from which I have learned much.

1 Like

In my case, an installer file (70MB) takes forever to download from Amazon S3 (20KB/s) and it always times out before completion. I had to download it from other sources, but I want to verify that the downloaded file is identical to the release on Github.

Providing a hash of the release files would be valuable to many users.

SHA256 is pretty solid and definitely not easily reproducible!
But besides security concerns, this is still used by many package managers for instance (Conda, Conan, Brew to name a few) so it seems natural to have it generated on upload, is this considered?


I also miss checksums.

If I would make one myself, maybe the file got corrupted while downloading it on my machine.
If I want to use the github API in an application, I need to verify, that the downloaded file is 1:1 the same on the github server.

While there are still many attacks when sums are just published on the same site with the release, sums still do their job to prove that:

  • there was no man in the middle
  • file was not damaged due to software/connectivity issues

Moreover many package managers REQUIRE AND ENFORCE presence of checksums. If you want to download something in your automated builds you MUST specify checksum. Ignoring this just makes github and its flows extremely unfriendly to software engineers. Making this question as solved just show that github pays little attention to its users’ problems.