@@ -156,12 +156,49 @@ runs:
156156 --pattern "$ASSET_NAME" \
157157 --dir .; then
158158 echo "✅ Download successful"
159- mv "$ASSET_NAME" mage-x.tar.gz
160159 else
161160 echo "❌ Download failed for $ASSET_NAME from mrz1836/mage-x@$VERSION"
162161 exit 1
163162 fi
164163
164+ # Verify SHA256 integrity against the release's checksums file before extraction.
165+ # Without this, a compromised release asset would silently be executed.
166+ # GoReleaser names the file mage-x_${VERSION}_checksums.txt by default.
167+ CHECKSUMS_FILE="mage-x_${CLEAN_VERSION}_checksums.txt"
168+ echo "🔐 Verifying SHA256 checksum against $CHECKSUMS_FILE..."
169+ if ! gh release download "$VERSION" \
170+ --repo mrz1836/mage-x \
171+ --pattern "$CHECKSUMS_FILE" \
172+ --dir .; then
173+ echo "❌ Failed to download $CHECKSUMS_FILE from mrz1836/mage-x@$VERSION"
174+ echo "❌ Cannot verify binary integrity — refusing to proceed"
175+ exit 1
176+ fi
177+
178+ EXPECTED_HASH=$(grep " ${ASSET_NAME}\$" "$CHECKSUMS_FILE" | awk '{print $1}')
179+ if [[ -z "$EXPECTED_HASH" ]]; then
180+ echo "❌ No checksum entry found for $ASSET_NAME in $CHECKSUMS_FILE"
181+ echo "📋 $CHECKSUMS_FILE contents:"
182+ cat "$CHECKSUMS_FILE"
183+ exit 1
184+ fi
185+
186+ if command -v sha256sum >/dev/null 2>&1; then
187+ ACTUAL_HASH=$(sha256sum "$ASSET_NAME" | awk '{print $1}')
188+ else
189+ ACTUAL_HASH=$(shasum -a 256 "$ASSET_NAME" | awk '{print $1}')
190+ fi
191+
192+ if [[ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]]; then
193+ echo "❌ Checksum mismatch for $ASSET_NAME"
194+ echo " Expected: $EXPECTED_HASH"
195+ echo " Actual: $ACTUAL_HASH"
196+ exit 1
197+ fi
198+ echo "✅ SHA256 checksum verified: $ACTUAL_HASH"
199+
200+ mv "$ASSET_NAME" mage-x.tar.gz
201+
165202 # Extract the tarball
166203 if tar -xzf mage-x.tar.gz; then
167204 echo "✅ Extraction successful"
0 commit comments