Security

Security of released binaries

Binaries published in the Releases section of GitHub are the output of a process which has been designed with a security-first approach. Every step from source code to the intended final destination of binaries is fully visible, immune from external interferences and independently verifiable. This is the process:

1. During every release, the Release workflow is triggered on GitHub.

2. The release workflow pulls the source code and builds binaries.

3. The release workflow computes SHA256 checksums of binaries and publishes them to the Sigstore Public Good Instance through GitHub Attestations.

4. Checksums and binaries are published on the Release page.

5. Binaries are downloaded by users to the intended final destination.

It is possible to verify that SHA256 checksums of binaries correspond to the one published on Sigstore by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

It is possible to verify that binaries have not been altered during transfer from GitHub to the final destination by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Reporting vulnerabilities

Vulnerabilities can be reported privately by using the Security Advisory feature of GitHub.