redis / redis-hashes Goto Github PK

See: https://en.wikipedia.org/wiki/SHA-1#The_SHAppening
And: https://sites.google.com/site/itstheshappening

Hi, I tried it on different platforms and let a colleague verify. The downloaded archive for redis 4.0.3 always gives
412f2634e55fe19e8826fae47935a8efe1e60ba2a48a8953c65e7a6caa459e41
not the hash specified in the file.

Adding the checksum for the current redis-stable release would be helpful for two reasons:

• be able to check the checksum of the downloaded redis-stable tarball.
• being able to configure automated deployment setups to check the hash of the downloaded tarball when specifying redis-stable instead of a specific point release.

Thanks for considering.

https://github.com/antirez/redis/archive/5.0-rc6.tar.gz
Is the only url I found with a non-empty download and the correct hash for this archive is
6f16ffb5550b6ba74f8198f873e2f4f1fc031a69583a16084c237c5389f6d159

The hash you have listed
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is for the zero-byte tar file from http://download.redis.io/releases/redis-5.0-rc6.tar.gz

I can't find checksum for 2.8.24 release. Please add it.
Thanks.

Any particular reason not to include the 3.2 release candidate hashes here? 😄

Since download.redis.io does not support HTTPS, I tried to fetch Redis from GitHub. But it turns out, that GitHub and download.redis.io are using different gzip versions or compression rates. So the SHA1 differs from what's published on https://github.com/antirez/redis-hashes/blob/master/README. The uncompressed tarballs have the same hash.

Could you please provide HTTPS for download.redis.io and provide hashes/signatures for the GitHub releases?

There is no hash for v6.2.5 which has been released yesterday

If you were to publish a GPG key that is used for code signing and signed that latest version of the hashes file and each binary download file for each release with a detached gnupg signature file it would go a long way to ensure that not only are the bits correct (which the hash already tells us) but that the integrity of the hashes list is unimpeachable as well. This could be very easily scripted on your end when new releases are put out.

Signing the binary for each release tarball individually would be awesome as well.

Here are a couple of example projects that do this:

https://github.com/tianon/gosu/releases
https://github.com/just-containers/s6-overlay/releases

An example usage (in a Dockerfile) would be something like this:

ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-amd64.tar.gz /tmp/s6-overlay-amd64.tar.gz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-amd64.tar.gz.sig /tmp/s6-overlay-amd64.tar.gz.sig

RUN tar xvfz /tmp/s6-overlay-amd64.tar.gz -C / && \
  gpg --keyserver pgp.mit.edu --recv-key ${S6_OVERLAY_GPG_KEY} && \
  gpg --verify /tmp/s6-overlay-amd64.tar.gz.sig /tmp/s6-overlay-amd64.tar.gz && \