Checksum

[taiki-e]

The current installation way is secure enough.

When installing the tool from GitHub Releases, this action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as the recommended installation of rustup.

However, verifying the hashes of downloaded files can provide a higher level of security.

Cases where the current installation way is vulnerable and checksum can prevent:

1. The GitHub account is hijacked and the release binary is replaced with another malicious program.
2. After a GitHub account is renamed, a GitHub account, project, and releases with the same name are created by a malicious user.

However, the checksum is not perfect, as it cannot reject new releases on hijacked accounts.

Perhaps the best approach here from a security standpoint is to verify the signature of the binary or archive, but the compiled binaries of most projects we support are not signed. Also, depending on how it is signed, it may be vulnerable to hijacking in any case (e.g., when signing is a part of the automated release process done in CI).