No checksum/signature verification for downloads #3
Description
Downloaded tarballs are not verified against checksums.
An approach to consider here, we could rely on github attestations and enable those for the WASI SDK.
Snippet from what I've used in other actions:
verify_artifact_signature() {
local artifact_path="$1"
local version="$2"
if [ "$VERIFY_SIGNATURE" != "true" ]; then
return 0
fi
log_info "Verifying artifact attestations..."
# Verify build provenance attestation
if ! gh attestation verify "$artifact_path" \
--repo "$REPO" \
--predicate-type https://slsa.dev/provenance/v1; then
log_error "Build provenance attestation verification failed!"
return 1
fi
log_success "Artifact attestations verified successfully!"
}