Merge pull request #835 from CircleCI-Public/DEVEX-645-security-add-d…

…ocumentation-to-the-readme-about-validating-the-downloaded-binaries-against-the-checksums-provided-in-the-assets-section-of-the-releases doc: Added doc about checksum verification
CircleCI-Public · Feb 2, 2023 · d0e8249 · d0e8249
2 parents b7a08c2 + 7c17232
commit d0e8249
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -62,6 +62,22 @@ You can also set a specific version of the CLI to install with the `VERSION` env
 curl -fLSs https://raw.githubusercontent.com/CircleCI-Public/circleci-cli/main/install.sh | VERSION=0.1.5222 sudo bash
 ```
 
+#### Checksum verification
+
+If you would like to verify the checksum yourself, you can download the checksum file from the [GitHub releases page](https://github.com/CircleCI-Public/circleci-cli/releases) and verify the checksum of the archive using the `circleci-cli_<version>_checksums.txt` inside the assets of the release you'd like to install:
+
+On macOS and Linux:
+```sh
+shasum -a 256 circleci-cli_<version>_<os>.tar.gz
+```
+
+and on Windows:
+```powershell
+Get-FileHash .\circleci-cli_<version>_<os>.tar.gz -Algorithm SHA256 | Format-List
+```
+
+And compare it to the right checksum depending on the downloaded version in the `circleci-cli_<version>_checksums.txt` file.
+
 ### Updating
 
 If you installed the CLI without a package manager, you can use its built-in update command to check for pending updates and download them: