On the (official) download page for releases, https://go.dev/dl/ links are provided for source an binary releases and for each release/platform size, checksum and some more info. The checksum is provided as text on the page, but i can not find a download link for it. Our use case is regular and automatic update of developer installations with the latest version. The developer are behind a corporate firewall and we provide an intern repository that is updated by automatic processes and also manually. We watch the website (using renovate) for update and download can download the new version automatically. But we would like to verify the download using the provided checksum as well (or by using a signed file or any other means). Screenscraping the checksum is possible but a bit cumbersome and often brittle.
I found related issues from 2016 (closed): github golang 14385 and golang.org 19783. From the discussion in these issues i found that it is possible to download, for example, the current linux binary and its checksum from - https://storage.googleapis.com/golang/go1.22.5.linux-amd64.tar.gz - https://storage.googleapis.com/golang/go1.22.5.linux-amd64.tar.gz.sha256
But since https://go.dev/dl/ is the official download site it would be, in some way, cleaner to be able to download the file with the sha256 checksum from there. For example the textual entry of the checksum in the table could be changed to be a link for the file (or just provide the link - who ever wants to see the checksum could just click on it ...).
May be am i missing some better ways to verify the download automatically (beside checking the TLS cert of https://go.dev) ? In this case i would appreciate some pointers to those. Thank you.
Comment From: gabyhelp
Related Issues
- Make .sha256 checksum files available at https://golang.org/dl #41172 (closed)
- x/website/internal/dl: serve .sha256 checksum files by redirecting to https://dl.google.com/go #41894
- x/website: #57143 (closed)
- release: provide sha256 checksums in machine readable format #14385 (closed)
- golang.org: suggestion for Go versions URL to enable automated downloads #25271 (closed)
- x/website: link to signatures on Go releases and document how to validate #38910
- dl: add go1.2.2, go1.3.3 and go1.4.3 #45608
- website: use sha256 on download page #12057 (closed)
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Comment From: ashabgp
Thank you very much - the first issue (https://github.com/golang/go/issues/41172) in the list of related issues provides a nice solution for my use case. So I close the ticket.
Comment From: ashabgp
The json (https://go.dev/dl/?mode=json) download with link and checksum solves my problem. Thank you.