Skip to content

Verify git-lfs checksum

Maxim Ivanov requested to merge redbaron1/gitlab-runner:git-lfs-verify into master

What does this MR do?

Adds git-lfs tarball verification when building helper image

Why was this MR needed?

It happened before where release tarballs were replaced by malicious users without authors knowing it. All downloads which didn't verify checksums would then pull in tampered binaries which is less than desirable. Gitlab runner helpers are images run companies and individuals in their private networks, GitLab being trusted vendor shouldn't distribute unverified binaries.

Does this MR meet the acceptance criteria?

  • Documentation created/updated
  • Tests
    • Added for this feature/bug
    • All builds are passing
  • Branch has no merge conflicts with master (if you do - rebase it please)
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading