A plugin should print the checksums to the log

[igor-petruk]

It is important to verify that it was a CI that uploaded the artifacts.

Assume I am a Github repo owner, but I don't own the CI server - I use a public one.

A user can then read CI logs to see the checksums, download the archive and check them. This prevents the Github owner from deleting the CI release and putting a malicious binary manually, providing a correct new hash sum.

[lafriks]

You should be using binary signing with gpg key for such usecase

[tboerger]

Checksums are anyway not that secure, as @lafriks said, use gpg for signing. There is also a plugin available for it. I personally don't use this feature at all, I prefer to build Checksums on my own.

[igor-petruk]

I might be missing something, GPG would only prove that me (as an author) is me. I can still print it in the logs. If I don't print, I can still do the signing. Then build the same code locally + evil patch, sign it and place it to releases. Yes I will be responsible and loose credit, but but that only proves I did it.

I was more looking to proving that something was built on public CI that I don't control. It was built there, hashed there.

GPG would solve my problem if cloud.drone.io provided their widely trusted signing key.

[lafriks]

If you don't trust owner of product you should probably compile it from source