Verify git-lfs checksum (!796) · Merge requests · GitLab.org / gitlab-runner

Maxim Ivanov requested to merge redbaron1/gitlab-runner:git-lfs-verify into master Dec 28, 2017

What does this MR do?

Adds git-lfs tarball verification when building helper image

Why was this MR needed?

It happened before where release tarballs were replaced by malicious users without authors knowing it. All downloads which didn't verify checksums would then pull in tampered binaries which is less than desirable. Gitlab runner helpers are images run companies and individuals in their private networks, GitLab being trusted vendor shouldn't distribute unverified binaries.

Does this MR meet the acceptance criteria?

Documentation created/updated
Tests
- Added for this feature/bug
- All builds are passing
Branch has no merge conflicts with master (if you do - rebase it please)

Edited Oct 29, 2021 by 🤖 GitLab Bot 🤖

Verify git-lfs checksum

What does this MR do?

Why was this MR needed?

Does this MR meet the acceptance criteria?

Merge request reports