Add automatic and consistent checksums to releases

[vertigo220]

As discussed here, checksums should really be a standard feature on GitHub. While I realize they don't provide as much protection against tampering as signatures, they should still be used for a variety of reasons:

1. very few projects use signatures;
2. checksums are easier for most people to use;
3. signatures aren't even necessarily secure since most people don't have an established web-of-trust in order to verify the signature they're using is actually legit;
4. the checksums could be calculated on initial upload only (i.e. if a file is modified after it's uploaded, the checksum would stay the same and not be recalculated) then stored on a different site, so even if someone gained access to GitHub and was able to modify files maliciously, they would have to gain access to the secondary site simultaneously in order to modify the checksums, vastly increasing the security provided; and
5. at the very least, they will provide the ability to verify file integrity, which is almost as important, especially for those on slower or unstable connections, and is a universal benefit, making it in a way more important as it's helpful to everyone.

Finally, not only should they be added, but the process should be automatic so it doesn't rely on the repo maintainer, and it should be standardized, to allow for checking automatically with a tool (download/package manager, etc). It would require very little overhead, storage, and bandwidth, practically no extra time once set up, and would offer significant benefit.

[iuuky]

Checksums are also useful in situations when you want to automatically download latest releases with the same name. To prevent re-downloading latest, but unchanged, releases, you could just check whether the checksum changed. Currently, you have to keep track of versions externally.

[na-jakobs]

Please add a checksum for Releases zip files that are generated on the GitHub side 🙏

[Myahr208]

Ok

[victor1234]

CMake FetchContent needs shecksum for example.

[smallstepman]

should also be a part of Releases API

[untereiner]

is it so difficult for a large staff like github's one to take one hour to add to release API a function that makes a call to another function that computes a checksum ?

[Myahr208]

As discussed here, checksums should really be a standard feature on GitHub. While I realize they don't provide as much protection against tampering as signatures, they should still be used for a variety of reasons:

1. very few projects use signatures;
2. checksums are easier for most people to use;
3. signatures aren't even necessarily secure since most people don't have an established web-of-trust in order to verify the signature they're using is actually legit;
4. the checksums could be calculated on initial upload only (i.e. if a file is modified after it's uploaded, the checksum would stay the same and not be recalculated) then stored on a different site, so even if someone gained access to GitHub and was able to modify files maliciously, they would have to gain access to the secondary site simultaneously in order to modify the checksums, vastly increasing the security provided; and
5. at the very least, they will provide the ability to verify file integrity, which is almost as important, especially for those on slower or unstable connections, and is a universal benefit, making it in a way more important as it's helpful to everyone.

Finally, not only should they be added, but the process should be automatic so it doesn't rely on the repo maintainer, and it should be standardized, to allow for checking automatically with a tool (download/package manager, etc). It would require very little overhead, storage, and bandwidth, practically no extra time once set up, and would offer significant benefit.