DEV Community

Shunsuke Suzuki
Shunsuke Suzuki

Posted on

Checksum Verification by aqua

In this blog post I introduce aqua's Checksum Verification.

https://aquaproj.github.io/docs/reference/checksum/

aqua is a declarative CLI Version Manager written in Go.

https://aquaproj.github.io/

From v1.20.0, aqua has supported Checksum Verification.
Checksum Verification is a feature verifying downloaded assets with checksum. Checksum Verification prevents the supply chain attack and allows you to install tools securely.

By default, aqua's Checksum Verification is disabled. To enable it, please add the configuration to aqua.yaml.

checksum:
  enabled: true
registries:
  - type: standard
    ref: v3.90.0 # renovate: depName=aquaproj/aqua-registry
packages:
  - name: golangci/golangci-lint@v1.46.2
Enter fullscreen mode Exit fullscreen mode

aqua creates or updates a file aqua-checksums.json in the same directory as aqua.yaml.

e.g. aqua-checksums.json

{
  "checksums": [
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-amd64.tar.gz",
      "checksum": "20cd1215e0420db8cfa94a6cd3c9d325f7b39c07f2415a02d111568d8bc9e271",
      "algorithm": "sha256"
    },
    {
      "id": "github_release/github.com/golangci/golangci-lint/v1.49.0/golangci-lint-1.49.0-darwin-arm64.tar.gz",
      "checksum": "cabb1a4c35fe1dadbe5a81550a00871281a331e7660cd85ae16e936a7f0f6cfc",
      "algorithm": "sha256"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Basically, you don't have to edit this file manually, because this is updated by aqua.

Many tools publish checksum files, so aqua gets checksums from them.

e.g.

aqua update-checksum command

You can create or update aqua-checksums.json without installing tools by aqua update-checksum command.

$ aqua update-checksum
Enter fullscreen mode Exit fullscreen mode

By default, aqua update-checksum gets checksums from each tool's checksum files (e.g. GitHub CLI), so it can't get checksums if no checksum file of the package is released.

If -deep option is set, aqua update-checksum downloads assets to calculate checksums.

$ aqua update-checksum -deep
Enter fullscreen mode Exit fullscreen mode

Autoupdate aqua-checksums.json by GitHub Actions

You can autoupdate aqua-checksums.json by GitHub Actions. Please see the example.

https://github.com/aquaproj/example-update-checksum

Getting Started

Please see Getting Started.

Summary

In this blog post I've introduced aqua's Checksum Verification.
Checksum Verification is very important to install tools securely.
This feature is disabled by default, so please enable it.
In this blog I haven't described the detail, so please see the official document too.

https://aquaproj.github.io/docs/reference/checksum/

Top comments (0)

Read next

devopspass profile image

Workshop: make your first AI app in a few clicks with Python+Ollama+llama3

DevOps Pass AI -

whatwaswhat profile image

Unleash Your Inner Picasso: Coding with Pen, Paper, and AI

whatwaswhat -

melihs profile image

Web Development with Web Components: The New Way of Modularity

Melih Şahin -

oandersonmagalhaes profile image

Deploying Your NextJS Project on Hostinger

oandersonmagalhaes -