{"id":17152709,"url":"https://github.com/mkmik/getsum","last_synced_at":"2025-08-17T01:06:00.713Z","repository":{"id":37853517,"uuid":"206318003","full_name":"mkmik/getsum","owner":"mkmik","description":"Abuse the gosum database to store verifiable hashes about any binary file","archived":false,"fork":false,"pushed_at":"2025-08-10T04:22:56.000Z","size":710,"stargazers_count":7,"open_issues_count":4,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-10T06:17:55.045Z","etag":null,"topics":["go","hack","security","transparency"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mkmik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-09-04T12:49:36.000Z","updated_at":"2025-08-10T04:22:28.000Z","dependencies_parsed_at":"2024-02-15T02:29:38.205Z","dependency_job_id":"a0e8cc17-7abf-4788-8eed-2f074902ab23","html_url":"https://github.com/mkmik/getsum","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/mkmik/getsum","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkmik%2Fgetsum","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkmik%2Fgetsum/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkmik%2Fgetsum/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkmik%2Fgetsum/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mkmik","download_url":"https://codeload.github.com/mkmik/getsum/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkmik%2Fgetsum/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269863898,"owners_count":24487575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-11T02:00:10.019Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","hack","security","transparency"],"created_at":"2024-10-14T21:44:21.025Z","updated_at":"2025-08-17T01:06:00.676Z","avatar_url":"https://github.com/mkmik.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Public Artifact Checksums Witness\n\nThis server observes and records checksums of publicly downloadable artifacts.\nIt offers verifiable proof that the claimed observations are immutable, i.e. this server cannot serve a different claim in the future.\n\nIt can be used to detect URLs whose content breaks immutability guarantees (e.g. usually versioned software releases).\n\n## Install\n\n```bash\n$ GO111MODULE=on go get getsum.pub/getsum@latest\n```\n\n## Usage\n\n```bash\n$ getsum https://some.com/url/to/a/file\n```\n\n`getsum` returns the hash of a file. The hash is fetched by `getsum.pub` by reading `https://some.com/url/to/a/file.sha256` and falling back to `https://some.com/url/to/a/SHA256SUMS` (we'll add more ways to seeding the hash; although we're likeley keep avoiding downloading large files from the internet)\n\nHowever, `getsum.pub` doesn't directly serve the hash to the `getsum.pub` client.\nInstead it generates a fake Go module `getsum.pub/https/some.com/ovzgy/orxq/me/mzuwyzi` (all path components are base32-encoded to ensure any URL is a valid Go import path)\nwhich contains the original URL and the sha256 checksum of it.\n\nThe `getsum` client then fetches this module using the https://proxy.golang.org and verifies the checksum using https://sum.golang.org. (read more about it [here](https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md))\n\nThus we leverage an existing large scale transparent log to ensure that files are indeed **immutable** the original publisher of that URL never changes the file (and the published `.sha` file).\n\n### Verify\n\n`getsum` doesn't download the file, you need to use a tool like `curl` or `wget`,\nbut it can verify whether the file you just downloaded matches the published hash and that the hash\nhasn't been modified.\n\n```sh\n$ wget https://some.com/url/to/a/file \\\n  \u0026\u0026 getsum -c file https://some.com/url/to/a/file \\\n  \u0026\u0026 echo \"good file, continue\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkmik%2Fgetsum","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmkmik%2Fgetsum","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkmik%2Fgetsum/lists"}