Add Cryptographic Digests to GitHub Releases

[philips]

I think we should consider adding cryptographic digests for the files released in etcd. Commonly called SHA256SUMS files they can be easily generated using the common sha256sum tool on most systems

sha256sum * > SHA256SUMS

Alternatively, there are some release automation tools that can build these files automatically.

Besides being a useful practice for download verification I would also like to use the SHA256SUMS as a way to ensure the releases aren't tampered with and track when they are modified. There is a tool called rget that I have been building that can do this if you provide SHA256SUMS for your releases.

The rget tool also has a subcommand to make it easy to create SHA256SUMS for existing releases, just run:

rget github publish-release-sums https://github.com/etcd-io/etcd/releases/tag/v3.0.0

If all of the @etcd-io/maintainers-etcd agree I can make this change and publish the SHA256SUMS for all of our older releases.

[philips]

cc @etcd-io/maintainers-etcd

[gyuho]

@spzala @hexfusion Do you want to work on this? Will be very simple to add

https://github.com/etcd-io/etcd/blob/master/scripts/build-binary

[hexfusion]

/assign

[philips]

@gyuho @hexfusion I would love to have the older releases covered as well. Any objections if I start by running the tool over the currently supported releases?

[gyuho]

@philips Sure, we can add those starting from 3.3 and 3.4.

I don't think we will have more 3.2 releases. If we do, we can add that to 3.2.

[philips]

@gyuho OK, I will do that in a few hours.

[philips]

I added it for the latest release and everything went OK. I will do a few more:

$ rget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-darwin-amd64.zip
downloading sums: https://github.com/etcd-io/etcd/releases/download/v3.3.13/SHA256SUMS
validating transparency URL: https://22db4f00ebebc0ff47cd7627074b0af7.6f1b51113f7cb7c175b5a1d96eb93161.v3-3-13.etcd.etcd-io.github.com.recorder.merklecounty.com
Failed to verify inclusion proof (failed to GetProofByHash(sct,size=408085873): got HTTP Status "404 Not Found") but embedded SCT[0] timestamp is only 3.265241757s old, less than log's MMD of 86400 seconds
Failed to verify inclusion proof (failed to GetProofByHash(sct,size=678926768): got HTTP Status "404 Not Found") but embedded SCT[1] timestamp is only 3.751400153s old, less than log's MMD of 86400 seconds
OK: x509 SCTs: validated 2/2 SCTs in logs "Cloudflare 'Nimbus2019' Log, Google 'Argon2019' log"
validated file sum: faf40049a245d7a8adbdb90e64bf8808ac72d6fec802d8ae60632b746873fa6e
Download validated and saved to etcd-v3.3.13-darwin-amd64.zip

[philips]

Hit a snag... investigating: merklecounty/rget#13