Skip to content

fix(installer): add SHA256 checksum verification#97

Merged
CalvinAllen merged 3 commits into
mainfrom
feat/checksum-verification
Dec 11, 2025
Merged

fix(installer): add SHA256 checksum verification#97
CalvinAllen merged 3 commits into
mainfrom
feat/checksum-verification

Conversation

@CalvinAllen

@CalvinAllen CalvinAllen commented Dec 11, 2025

Copy link
Copy Markdown
Contributor

Summary

  • Generate SHA256 checksums for all release archives during CI build
  • Publish .sha256 files alongside release artifacts
  • Update install.sh to download and verify checksum before extraction
  • Update install.ps1 to download and verify checksum before extraction
  • Abort installation if checksum is missing or doesn't match

Security Impact

High - Prevents supply chain attacks via compromised downloads.

Changes

Release Workflow

  • Added checksum generation step (Unix uses sha256sum/shasum, Windows uses Get-FileHash)
  • Upload .sha256 files as release artifacts
  • Include checksums in GitHub release assets

install.sh

  • Added verify_checksum() function
  • Downloads checksum file before extraction
  • Verifies archive integrity using sha256sum or shasum
  • Aborts if verification fails

install.ps1

  • Added Test-Checksum function
  • Downloads checksum file before extraction
  • Verifies archive integrity using Get-FileHash
  • Aborts if verification fails

Test plan

  • Verify release workflow generates checksums correctly
  • Test install.sh on Linux/macOS
  • Test install.ps1 on Windows
  • Verify installation aborts on checksum mismatch (manual test with corrupted file)

Closes #87

@CalvinAllen
fix(installer): add SHA256 checksum verification
c968e6f 
- Generate SHA256 checksums for all release archives during CI build
- Publish .sha256 files alongside release artifacts
- Update install.sh to download and verify checksum before extraction
- Update install.ps1 to download and verify checksum before extraction
- Abort installation if checksum is missing or doesn't match

Closes #87
@CalvinAllen
fix(installer): resolve shellcheck warnings in install.sh
ba57e9d
@CalvinAllen
ci(lint): exclude Write-Host rule for installer scripts
9b379a0
@CalvinAllen CalvinAllen merged commit 0de0005 into main Dec 11, 2025
11 checks passed
@CalvinAllen CalvinAllen deleted the feat/checksum-verification branch December 11, 2025 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec(installer): add checksum verification and archive extraction safeguards

1 participant

@CalvinAllen