There is no way to verify the binary

[darthdeus]

I know this might seem paranoid, but if the only way to get websocketd is to download a binary over HTTP ...

[asergeyev]

Good point, next release should have CHECKSUMS file.

[joewalnes]

Can anyone recommend good practices for this?

[asergeyev]

For now I think we can have at least some checksums released with binaries. We can add signature by one of our PGP keys but it would solve complete paranoia when any of our machines (as builders of binaries) are infected by something.

Only recepie here is to inspect sources and build yourself.

[joewalnes]

Sounds good. Can you incorporate all the necessary signing tasks into the release/Makefile. We'll share the keys ourselves privately of course.

[darthdeus]

Checksums are definitely good enough. +1

@asergeyev How can I build websocketd? I'm not really that familiar with Go development tools, so not sure what to install or how to properly compile it.

[asergeyev]

I guess you'll end up with stuff that you don't need this way but we have release makefile that could be helpful:

git clone https://github.com/joewalnes/websocketd
cd websocketd/release
# you may also do 
git pull --tags 
make binaries

Then you should get out/0.2.10 dir with bunch of cross-compiled things. You might reduce number of things that it would built by changing PLATFORMS variable in Makefile or in command line... e.g:

make binaries PLATFORMS=linux_amd64
make binaries PLATFORMS=darwin_amd64
make binaries PLATFORMS=windows_amd64

[asergeyev]

See also CHECKSUMS in pre-release https://github.com/joewalnes/websocketd/releases/tag/v0.2.10 (not yet signed, subject to change)

[asergeyev]

Ok, signed checksums will be available. No promises about signing with same key made but it's verifiable now.