I don't think there's an actual way to know that for sure. They can tell you that what they're distributing is a build of what's on their github. You can build what's on their github. You can download their binaries and then compare them with what you built but the difficulty is that you're unlikely to get a bitwise identical binary since you're probably not building with the same configuration/compiler/etc. You can do a sort of "external" comparison on what you build and what they distribute by running tests against both.
On second read, you're actually asking if a binary in a repo is the same as a binary on a website: to do that, just download both of them and hash them then compare the hashes:
The above just uses bash to run sha256sum against "file1.zip" and "file2.zip" and pipes each result to diff. If they are not different you will see no output and $? will be 0. If they are different, you'll see the two different hashes printed on the command line. Note: if the above syntax is confusing or hard to replicate, you could always just compare hashes "by hand".
On second read, you're actually asking if a binary in a repo is the same as a binary on a website: to do that, just download both of them and hash them then compare the hashes:
Code:
$ sha256sum file1.zip | cut -f 1 -d ' ' | diff <(sha256sum file2.zip | cut -f 1 -d ' ') -
The above just uses bash to run sha256sum against "file1.zip" and "file2.zip" and pipes each result to diff. If they are not different you will see no output and $? will be 0. If they are different, you'll see the two different hashes printed on the command line. Note: if the above syntax is confusing or hard to replicate, you could always just compare hashes "by hand".
Thank you for the explanation very helpful, i will compare the hashes by "hand".
