Skip to content

Commit f1bf2f6

Browse files
jdaltonjdalton
committed
feat(dlx): add SHA256 checksum verification for Python and socket-patch downloads
1 parent 8ce043d commit f1bf2f6

File tree

1 file changed

+14
-4
lines changed

1 file changed

+14
-4
lines changed

packages/cli/src/utils/dlx/spawn.mts

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ import { getDefaultOrgSlug } from '../../commands/ci/fetch-default-org-slug.mjs'
5252
import { getCliVersion } from '../../env/cli-version.mts'
5353
import { getPyCliVersion } from '../../env/pycli-version.mts'
5454
import { getPythonBuildTag } from '../../env/python-build-tag.mts'
55+
import { getPythonChecksums } from '../../env/python-checksums.mts'
5556
import { getPythonVersion } from '../../env/python-version.mts'
5657
import { SOCKET_CLI_PYTHON_PATH } from '../../env/socket-cli-python-path.mts'
5758
import { getSynpVersion } from '../../env/synp-version.mts'
@@ -877,9 +878,9 @@ export async function spawnSynp(
877878
*/
878879

879880
/**
880-
* Get the download URL for python-build-standalone based on platform and architecture.
881+
* Get the download URL and asset name for python-build-standalone based on platform and architecture.
881882
*/
882-
function getPythonStandaloneUrl(): string {
883+
function getPythonStandaloneInfo(): { assetName: string; url: string } {
883884
const version = getPythonVersion()
884885
const tag = getPythonBuildTag()
885886
const platform = os.platform()
@@ -903,9 +904,13 @@ function getPythonStandaloneUrl(): string {
903904
throw new InputError(`Unsupported platform: ${platform}`)
904905
}
905906

907+
// Asset name format matches checksums in external-tools.json.
908+
const assetName = `cpython-${version}+${tag}-${platformTriple}-install_only.tar.gz`
906909
// URL encoding for the '+' in version string.
907910
const encodedVersion = `${version}%2B${tag}`
908-
return `https://github.com/astral-sh/python-build-standalone/releases/download/${tag}/cpython-${encodedVersion}-${platformTriple}-install_only.tar.gz`
911+
const url = `https://github.com/astral-sh/python-build-standalone/releases/download/${tag}/cpython-${encodedVersion}-${platformTriple}-install_only.tar.gz`
912+
913+
return { assetName, url }
909914
}
910915

911916
/**
@@ -938,13 +943,18 @@ function getPythonBinPath(pythonDir: string): string {
938943
* Download and extract Python from python-build-standalone using downloadBinary.
939944
*/
940945
async function downloadPython(pythonDir: string): Promise<void> {
941-
const url = getPythonStandaloneUrl()
946+
const { assetName, url } = getPythonStandaloneInfo()
942947
const tarballName = 'python-standalone.tar.gz'
943948

949+
// Get SHA-256 checksum for integrity verification.
950+
const checksums = getPythonChecksums()
951+
const sha256 = checksums[assetName]
952+
944953
await safeMkdir(pythonDir, { recursive: true })
945954

946955
const result = await downloadBinary({
947956
name: tarballName,
957+
sha256,
948958
url,
949959
})
950960

0 commit comments

Comments
 (0)