are there checksums (for releases) ?

[ilia-shipitsin]

Hello,

github runner images team here.
we are looking for securing supply chains when adding software to CI images.

are there checksum available ? or maybe some recommended validation approach.

thanks!

[smowton]

Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?

[ilia-shipitsin]

we download codeql bundles using https://github.com/actions/runner-images/blob/main/images/win/scripts/Installers/Install-CodeQLBundle.ps1

files like "https://github.com/github/codeql-action/releases/download/$($Bundle.TagName)/codeql-bundle.tar.gz"

[adityasharad]

@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?

• a single checksums file containing checksums and filenames for each of the 4 files, on separate lines (this is what the gh CLI does for example)
• one checksum file for each artifact

[jsoref]

The standard unix model is one signature per file, since it enables wget $url{,.sig}.