We do not currently publish checksums, but it's definitely a good idea to do so, so I've marked it as an enhancement for us to consider for the future.

Pending publication of said checksums, what is the workaround?

The best I can do is post the checksum I get, so someone here can confirm:

$ sha256sum terragrunt_linux_amd64 # v0.17.4
7bdedb8c859450ea6fdd995c4c25f7bcdf6f7122f175268a896a3810a27ae85b  terragrunt_linux_amd64

Is this checksum correct?

$ sha256sum terragrunt_linux_amd64
7bdedb8c859450ea6fdd995c4c25f7bcdf6f7122f175268a896a3810a27ae85b  terragrunt_linux_amd64

@211217613 commits, merge commits, and tagging that happens via the GitHub UI can optionally be signed by GitHub's signing keys. Depending on which infrastructure GitHub uses to sign commits vs hosting git repositories and their web applications, this may only be marginally more verified than no signature at all.

GitHub themselves do not generate the binaries; the binaries a compiled by CircleCI which all is configured here. Once the binaries are compiled, they are uploaded to GitHub as the release binaries that will eventually be downloaded.

Distributing checksums alongside binaries isn't really more secure than distributing without. Since you're distributing both within the same channel, at the same time, via the same methods they are both at risk if the application that serves both is compromised. A far better solution would be for Gruntwork to us a long-lived PGP signing key that is distributed separately and is available from multiple sources (their website, the git repository, etc.)

Hope this answers all your questions and concerns.

@brikis98

How about publishing a .sig, along side the release, that is created by gruntworkci that can be easily verified. This would align with what @conn is stating.

Proofs, or simple checksum files, could also be posted to https://keybase.pub/gruntworkci/ during the release process.

Sidenote: A wrapper similar to tfenv could be made, which automatically validates the binary upon install. Handling windows users with a powershell script would take a bit more effort.

The problem is that their private signing key would probably need to be handled by CircleCI. Ideally Gruntwork would be the only ones to control it, which would mean running their own build infrastructure.

Can Keybase host a series of checksums? I thought it was only for discovering public keys.

669 has been merged. This should be closed. Thanks for the reviews!

Thank you @conn!

You're welcome! Glad to help.