Hi,

I want to download docker-compose from github, but I also want to check the file I downloaded hasn’t been tampered with. However I don’t seen any signature of the file. Did I miss something or is it really published without any means to validate the integrity of the file downloaded?

Thanks in advance

This is something that is built in to git. If you simply do a git clone of the repo, each object checked in to git has a signature verification that git applies for you. Give it a try sometime-- set up a bare git repository on your filesystem. Do a ‘git push’ to it, and then tamper with the files in the .git directory. Try doing another ‘git clone’ from the tampered bare repository and you’ll get an error. The same thing happens for remote git repositories like on github.

If you just download the file through the github web interface, you are allowing that verification to happen on the github server, and you are trusting that no tampering has happened between your web browser and the github server that actually pulled the object out of git on github’s servers.

Doing the clone and running the git client on your actual machine allows the check to be happened locally.