dotnet/installer

Matching SHA/SHA512 file downloads for 'patch-agnostic ... runtime downloads'

bevanweiss opened this issue · 4 comments

bevanweiss commented

With reference to the issue which resulted in patch-agnostic downloads being available
#11040
It would be really great if there were also SHA/SHA512 files available alongside these to allow for some kind of verification that the download itself was correct (correct as per sha reported content... not necessarily free from malicious interference).

I have tried the likes of
https://aka.ms/dotnet/8.0/dotnet-runtime-win-x64.exe.sha and
https://aka.ms/dotnet/8.0/dotnet-runtime-win-x64.exe.sha512
but without success

marcpopMSFT commented

I don't know if there are links for the runtime but they do exist for the SDK:
https://aka.ms/dotnet/8.0.4xx/daily/dotnet-sdk-win-x64.exe.sha

See the checksum links on this table: https://github.com/dotnet/sdk/blob/main/documentation/package-table.md

bevanweiss commented

I don't know if there are links for the runtime but they do exist for the SDK: https://aka.ms/dotnet/8.0.4xx/daily/dotnet-sdk-win-x64.exe.sha

See the checksum links on this table: https://github.com/dotnet/sdk/blob/main/documentation/package-table.md

Those are only for daily builds, which we wouldn't want to deploy to staging, or production environments (the places we'd most like to have SHA confirmations).

baronfel commented

If you want SHAs for the stable releases you'll want to look at the releases index along with the per-release-channel release manifests. These are updated every release, and in the per-version release manifest you can find a SHA for the various release artifacts:

image

bevanweiss commented

If you want SHAs for the stable releases you'll want to look at the releases index along with the per-release-channel release manifests. These are updated every release, and in the per-version release manifest you can find a SHA for the various release artifacts:

image

That sounds an incredibly complicated a process to deal with if my 'short form' link to the DotNet runtime is as shown below:
https://aka.ms/dotnet/LTS/dotnet-runtime-win-x64.exe

I understand if the issue (as raised) is considered as a "won't fix", but I'd argue against it currently being considered as 'complete' just because there are some hashes available. They are not provided in a manner that is as convenient as the binary artifacts are available.