Add checksum verification to BuildKit build and packaging workflows #219
Description
Summary
Add checksum generation and verification to BuildKit workflows to improve supply chain security.
Background
During review of PR #218, a security concern was identified: the BuildKit packaging workflows download binaries without verifying their integrity. This creates a risk if releases are compromised or corrupted.
Implementation Plan
This enhancement requires two phases:
Phase 1: Generate checksums in build workflow
- Update the BuildKit build workflow (Weekly BuildKit RISC-V64 Build) to generate checksum files (e.g.,
SHA256SUMSorchecksums.txt) - Upload the checksum file as a release asset alongside the binaries
- Include checksums for:
buildkitd,buildctl, and any other artifacts
Phase 2: Verify checksums in packaging workflows
- Update
.github/workflows/build-buildkit-package.yml(Debian packaging) to:- Download the checksum file from the release
- Verify downloaded binaries using
sha256sum -c - Fail the workflow if verification fails
- Update
.github/workflows/build-buildkit-rpm.yml(RPM packaging) with the same verification logic
References
- PR: feat(buildkit): add Debian and RPM packaging for BuildKit #218
- Discussion: feat(buildkit): add Debian and RPM packaging for BuildKit #218 (comment)
- Requested by: @gounthar
Priority
Medium - Security enhancement that should be implemented before wider distribution of packages.