Replies: 1 comment 1 reply
-
The hash digest of the source code archive files? GitHub dynamically creates the zip/tar.gz file on the releases page, and not the Shadow project. I don't think adding a digest would be useful as (1) we didn't create it, (2) GitHub may change how it generates the archive and then the digest wouldn't match, and (3) GitHub controls everything from the repository to the website to the code archive, so the Shadow project already puts complete trust in GitHub. Is there any particular reason for wanting the digest of the source code archive? If you want to verify the code locally, the tagged releases in the git repository are signed, so you can verify them with @robgjansen's gpg key. (@robgjansen is this the same key that you sign the commits with?) |
Beta Was this translation helpful? Give feedback.
-
It would be appreciated if users could verify integrity of Shadow simulator. Please include them both on the website and Github release page.
Beta Was this translation helpful? Give feedback.
All reactions