My whole life is in backups, so I need to verify releases when I setup duplicacy on a new machine. I tried today to verify a downloaded binary release using a checksum.
Since there are no published checksums (that I know of), I instead tried to rebuild it locally. Not wanting to guess about which command was used to build the source, I tried gorepro, and was greeted with an error message:
$ go install github.com/capnspacehook/gorepro@latest
$ go/bin/gorepro Downloads/duplicacy_linux_x64_3.1.0
"Downloads/duplicacy_linux_x64_3.1.0" was built with go1.16.15, only go1.18 or newer embeds build metadata that is required by gorepro
So, either add checksums anywhere (could be in a forum post from a trusted user for all I care), or update to a newer version of Go, or give guidance (straight in the project README) on how to verify releases if you have another preferred way. Or provide OS packages. Anything so that I don’t just download a binary and run it without being able to verify it’s the correct one. And no, I don’t trust duplicacy on my previous machine, because I’m rotating away from it right now, and the old machine is now untrusted.