generate and show binary checksums in releases (#4012) (#4095)

.github/workflows/nightly_binaries.yml

@@ -13,6 +13,8 @@ jobs:
         fetch-depth: 0
 
     - run: make binaries
+      env:
+        CHECKSUM: '1'
 
     - uses: actions/upload-artifact@v4
       with:

.github/workflows/release.yml

@@ -13,6 +13,8 @@ jobs:
     - uses: actions/checkout@v4
 
     - run: make binaries
+      env:
+        CHECKSUM: '1'
 
     - uses: actions/upload-artifact@v4
       with:
@@ -38,11 +40,24 @@ jobs:
 
           const currentRelease = context.ref.split('/')[2];
 
+          let body = `## Security\n\n`
+            + `Binaries have been produced by the [Release workflow](https://github.com/${owner}/${repo}/actions/workflows/release.yml)`
+            + ` without human intervention.\n\n`
+            + `SHA256 checksums:\n`;
+
+          for (const name of await fs.readdir('./binaries/')) {
+            if (name.endsWith('.sha256sum')) {
+              const parts = (await fs.readFile(`./binaries/${name}`, 'utf-8')).slice(0, -1).split(' ');
+              body += `* ${parts[2]} ${parts[0]}\n`;
+            }
+          }
+
           const res = await github.rest.repos.createRelease({
             owner,
             repo,
             tag_name: currentRelease,
             name: currentRelease,
+            body,
           });
           const release_id = res.data.id;
 

scripts/binaries.mk

@@ -1,5 +1,11 @@
 BINARY_NAME = mediamtx
 
+ifeq ($(CHECKSUM),1)
+  define DOCKERFILE_CHECKSUM
+  RUN cd /s/binaries; for f in *; do sha256sum $$f > $$f.sha256sum; done
+  endef
+endif
+
 define DOCKERFILE_BINARIES
 FROM $(BASE_IMAGE) AS build-base
 RUN apk add --no-cache zip make git tar
@@ -56,6 +62,7 @@ COPY --from=build-darwin-arm64 /s/binaries /s/binaries
 COPY --from=build-linux-armv6 /s/binaries /s/binaries
 COPY --from=build-linux-armv7 /s/binaries /s/binaries
 COPY --from=build-linux-arm64 /s/binaries /s/binaries
+$(DOCKERFILE_CHECKSUM)
 endef
 export DOCKERFILE_BINARIES