1.6 KiB
Security
Security of released binaries
Binaries published in the Releases section of GitHub are the output of a process which has been designed with a security-first approach. Every step from source code to the intended final destination of binaries is fully visible, immune from external interferences and independently verifiable. This is the process:
-
During every release, the Release workflow is triggered on GitHub.
-
The release workflow pulls the source code and builds binaries.
-
The release workflow computes SHA256 checksums of binaries and publishes them to the Sigstore Public Good Instance through GitHub Attestations.
-
Checksums and binaries are published on the Release page.
-
Binaries are downloaded by users to the intended final destination.
It is possible to verify that SHA256 checksums of binaries correspond to the one published on Sigstore by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
It is possible to verify that binaries have not been altered during transfer from GitHub to the final destination by downloading checksums.sha256 and running:
cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
Reporting vulnerabilities
Vulnerabilities can be reported privately by using the Security Advisory feature of GitHub.