Publish checksums and/or artifact attestations for release binaries

## Request

Please publish SHA-256 checksums and/or [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) alongside release binaries.

## Why

Currently the release assets include only bare binaries with no mechanism for downstream consumers to verify integrity or provenance. Projects that install cloudflared from GitHub releases have to either:

- Hardcode SHA-256 checksums and manually update them every release (brittle)
- Skip verification entirely (insecure)

A checksums file (e.g., `cloudflared-checksums-sha256.txt`) in the release assets would be a quick win. Artifact attestations would be even better, enabling cryptographic provenance verification with:

```bash
gh attestation verify cloudflared-linux-amd64 --repo cloudflare/cloudflared
```

## Context

We ran into this while adding supply-chain hardening to [NVIDIA/NemoClaw](https://github.com/NVIDIA/NemoClaw), which downloads cloudflared in its install scripts. We're currently hardcoding checksums as a workaround.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish checksums and/or artifact attestations for release binaries #1617

Request

Why

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Publish checksums and/or artifact attestations for release binaries #1617

Description

Request

Why

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions