add checksum verification

Author: suhailkakar

README.md

@@ -2,6 +2,8 @@
 
 Rust CLI for Polymarket. Browse markets, place orders, manage positions, and interact with onchain contracts — from a terminal or as a JSON API for scripts and agents.
 
+> **Warning:** This is early, experimental software. Use at your own risk and do not use with large amounts of funds. APIs, commands, and behavior may change without notice. Always verify transactions before confirming.
+
 ## Install
 
 ### Homebrew (macOS and Linux)

install.sh

@@ -37,14 +37,43 @@ main() {
     exit 1
   fi
 
-  url="https://github.com/${REPO}/releases/download/${tag}/${BINARY}-${tag}-${target}.tar.gz"
+  tarball_name="${BINARY}-${tag}-${target}.tar.gz"
+  url="https://github.com/${REPO}/releases/download/${tag}/${tarball_name}"
+  checksums_url="https://github.com/${REPO}/releases/download/${tag}/checksums.txt"
 
   echo "Installing ${BINARY} ${tag} (${target})..."
 
   tmpdir=$(mktemp -d)
   trap 'rm -rf "$tmpdir"' EXIT
 
-  curl -sSfL "$url" | tar xz -C "$tmpdir"
+  curl -sSfL "$url" -o "$tmpdir/$tarball_name"
+  curl -sSfL "$checksums_url" -o "$tmpdir/checksums.txt"
+
+  expected_hash=$(grep "$tarball_name" "$tmpdir/checksums.txt" | awk '{print $1}')
+  if [ -z "$expected_hash" ]; then
+    echo "Error: no checksum found for $tarball_name" >&2
+    exit 1
+  fi
+
+  if command -v sha256sum >/dev/null 2>&1; then
+    actual_hash=$(sha256sum "$tmpdir/$tarball_name" | awk '{print $1}')
+  elif command -v shasum >/dev/null 2>&1; then
+    actual_hash=$(shasum -a 256 "$tmpdir/$tarball_name" | awk '{print $1}')
+  else
+    echo "Error: need sha256sum or shasum to verify download" >&2
+    exit 1
+  fi
+
+  if [ "$actual_hash" != "$expected_hash" ]; then
+    echo "Error: checksum mismatch!" >&2
+    echo "  Expected: $expected_hash" >&2
+    echo "  Got:      $actual_hash" >&2
+    echo "The downloaded file may have been tampered with. Aborting." >&2
+    exit 1
+  fi
+
+  echo "Checksum verified."
+  tar xzf "$tmpdir/$tarball_name" -C "$tmpdir"
 
   if [ -w "$INSTALL_DIR" ]; then
     mv "$tmpdir/$BINARY" "$INSTALL_DIR/$BINARY"

src/commands/upgrade.rs

@@ -32,6 +32,12 @@ pub fn execute() -> anyhow::Result<()> {
     let tmpdir = tempdir()?;
     let tarball = format!("{tmpdir}/{BINARY}.tar.gz");
 
+    let tarball_name =
+        format!("{BINARY}-{latest_tag}-{target}.tar.gz");
+    let checksums_url = format!(
+        "https://github.com/{REPO}/releases/download/{latest_tag}/checksums.txt"
+    );
+
     println!("Downloading {latest_tag} ({target})...");
 
     let status = Command::new("curl")
@@ -42,6 +48,17 @@ pub fn execute() -> anyhow::Result<()> {
         bail!("Download failed (HTTP error)");
     }
 
+    let checksums_file = format!("{tmpdir}/checksums.txt");
+    let status = Command::new("curl")
+        .args(["-sSfL", "-o", &checksums_file, &checksums_url])
+        .status()
+        .context("Failed to download checksums")?;
+    if !status.success() {
+        bail!("Failed to download checksums.txt — cannot verify integrity");
+    }
+
+    verify_checksum(&tarball, &checksums_file, &tarball_name)?;
+
     let status = Command::new("tar")
         .args(["xzf", &tarball, "-C", &tmpdir])
         .status()
@@ -129,6 +146,49 @@ fn tempdir() -> anyhow::Result<String> {
     Ok(String::from_utf8_lossy(&output.stdout).trim().to_string())
 }
 
+fn verify_checksum(file_path: &str, checksums_file: &str, expected_name: &str) -> anyhow::Result<()> {
+    let checksums = fs::read_to_string(checksums_file).context("Failed to read checksums.txt")?;
+
+    let expected_hash = checksums
+        .lines()
+        .find_map(|line| {
+            let mut parts = line.split_whitespace();
+            let hash = parts.next()?;
+            let name = parts.next()?;
+            if name == expected_name || name.trim_start_matches("./") == expected_name {
+                Some(hash.to_string())
+            } else {
+                None
+            }
+        })
+        .context(format!("No checksum found for {expected_name} in checksums.txt"))?;
+
+    let output = Command::new("shasum")
+        .args(["-a", "256", file_path])
+        .output()
+        .or_else(|_| Command::new("sha256sum").arg(file_path).output())
+        .context("Failed to compute SHA256 (need shasum or sha256sum)")?;
+
+    if !output.status.success() {
+        bail!("Failed to compute SHA256 of downloaded file");
+    }
+
+    let actual_hash = String::from_utf8_lossy(&output.stdout)
+        .split_whitespace()
+        .next()
+        .unwrap_or("")
+        .to_string();
+
+    if actual_hash != expected_hash {
+        bail!(
+            "Checksum mismatch!\n  Expected: {expected_hash}\n  Got:      {actual_hash}\n\nThe downloaded binary may have been tampered with. Aborting."
+        );
+    }
+
+    println!("Checksum verified.");
+    Ok(())
+}
+
 fn sudo_mv(from: &str, to: &str) -> std::io::Result<()> {
     let status = Command::new("sudo")
         .args(["mv", from, to])