Skip to content

Add SHA256 checksum verification for downloaded binaries#521

Merged
bartlomieju merged 2 commits into
mainfrom
checksum-verification
Mar 25, 2026
Merged

Add SHA256 checksum verification for downloaded binaries#521
bartlomieju merged 2 commits into
mainfrom
checksum-verification

Conversation

@bartlomieju

@bartlomieju bartlomieju commented Mar 19, 2026

Copy link
Copy Markdown
Member

Summary

  • Verify Deno binary integrity in bin.dockerfile using .sha256sum files from dl.deno.land
  • Verify tini binary integrity in all variant Dockerfiles (alpine, ubuntu, debian, distroless) using .sha256sum files from tini GitHub releases
  • Builds will now fail immediately if a downloaded binary doesn't match its expected checksum

Closes #162

Test plan

  • Build bin.dockerfile for amd64 and arm64 — verify checksum passes
  • Build each variant Dockerfile — verify tini checksum passes
  • Corrupt a download (e.g. truncate the zip) and confirm the build fails at the sha256sum -c step

🤖 Generated with Claude Code

bartlomieju and others added 2 commits March 19, 2026 13:05
@bartlomieju @claude
Add SHA256 checksum verification for downloaded binaries
14444a5 
Verify integrity of the Deno binary (bin.dockerfile) and tini binary
(alpine, ubuntu, debian, distroless) using upstream .sha256sum files.
This is a requirement for docker-library/official-images inclusion.

Closes #162

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bartlomieju @claude
Fix checksum verification filename mismatches
5486b4c 
The sha256sum files reference the original download filenames (e.g.
deno-x86_64-unknown-linux-gnu.zip, tini-amd64), but the files were
being saved with different names (deno.zip, /tini). sha256sum -c
expects the referenced filename to exist, causing CI to fail.

Fix by downloading files with their original names and renaming after
verification.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
igorbdl
igorbdl approved these changes Mar 24, 2026
View reviewed changes

@igorbdl igorbdl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@bartlomieju bartlomieju merged commit 05bc542 into main Mar 25, 2026
6 checks passed
@bartlomieju bartlomieju deleted the checksum-verification branch March 25, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@igorbdl igorbdl igorbdl approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Checksum verification of deno binary

2 participants

@bartlomieju @igorbdl