SHA256SUM.md format is messy (not machine friendly)

[udf2457]

Please can you make SHA256SUM.md more machine/script friendly.

At present, for example, it is not possible to use it in scripts with pipefail enabled beause sha256sum -c --ignore-missing --strict SHA256SUM.md returns multiple values for the same file and sha256sum will exit !=0 if any check is !=OK.

This means you have to do a somewhat messy workaround of removing pipefail and doing sha256sum -c --ignore-missing --strict SHA256SUM.md | grep -F OK and checking the exit code from grep.

Maybe (as a minimum) you could start issuing something like SHA256SUM_CURRENT which contains only the data for the current release ? And issue it in machine readable form without markdown etc.

Alternatively, if you want to keep the historical data in one place, maybe don't issue it in markdown format, but json format. Then at least people can parse it with jq to get the data for the release they want.

[ianlewis]

I'm not sure why we don't just include a checksums file for each release tbh. Would that solve this issue?

Otherwise we could build binaries with the version name included in the binary name and keep a running checksums file but I'm not sure there's a reason to do that.

[udf2457]

@ianlewis I see you're now pulled SHA256SUM entirely, replacing with intoto.jsonl ? Is that your proposed solution to this issue ?

If so, it might be good if you updated the README with updated verification instructions ? https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#download-the-binary

Also isn't using intoto.jsonl a chicken & egg because it needs slsa-verifier to verify... which you can't verify ....