From e12445338b564bc9cb7d6562c9b0b8e83e89bb73 Mon Sep 17 00:00:00 2001 From: antitree Date: Wed, 25 Mar 2026 16:14:05 -0400 Subject: [PATCH 1/4] fix: verify chainctl checksum after download and pin pip dependency Add SHA256 checksum verification for the chainctl binary download using the published chainctl_checksums.txt file. Pin keyrings-chainguard-libraries to version 0.2.0 to prevent supply chain attacks via unpinned dependency. Fixes: FIND-007, FIND-043 Co-Authored-By: Claude Opus 4.6 (1M context) --- action.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index c0aeff7..e5e22b2 100644 --- a/action.yaml +++ b/action.yaml @@ -125,6 +125,27 @@ runs: else curl -o ./${out} -fsL --retry 5 --retry-delay 1 --retry-all-errors "${url}" fi + + # Verify chainctl binary checksum + checksums_url="https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_checksums.txt" + echo "Downloading checksums from ${checksums_url}" + curl -o checksums.txt -fsL --retry 3 --retry-delay 1 "${checksums_url}" + expected=$(grep "chainctl_${os}_${arch}" checksums.txt | awk '{print $1}') + if [[ -z "${expected}" ]]; then + echo "::error::No checksum found for chainctl_${os}_${arch} in checksums.txt" + exit 1 + fi + if command -v sha256sum &>/dev/null; then + actual=$(sha256sum ./${out} | awk '{print $1}') + else + actual=$(shasum -a 256 ./${out} | awk '{print $1}') + fi + if [[ "${expected}" != "${actual}" ]]; then + echo "::error::Checksum mismatch for chainctl: expected ${expected}, got ${actual}" + exit 1 + fi + echo "Checksum verified for chainctl_${os}_${arch}" + chmod +x ./${out} echo "$(pwd)" >> $GITHUB_PATH @@ -211,4 +232,4 @@ runs: name: Install Python keyring package shell: bash run: | - python -m pip install "keyrings-chainguard-libraries" + python -m pip install "keyrings-chainguard-libraries==0.2.0" From 64f250235ebc311224bbc083fc6bd82f77b960be Mon Sep 17 00:00:00 2001 From: antitree Date: Fri, 27 Mar 2026 10:58:40 -0400 Subject: [PATCH 2/4] fix: add cross-platform checksum verification (Windows support) Address review feedback from egibs: sha256sum doesn't exist on Windows. Uses sha256sum (Linux), shasum (macOS), or warns if neither available. Co-Authored-By: Claude Opus 4.6 (1M context) --- action.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/action.yaml b/action.yaml index e5e22b2..ed58dab 100644 --- a/action.yaml +++ b/action.yaml @@ -136,9 +136,12 @@ runs: exit 1 fi if command -v sha256sum &>/dev/null; then - actual=$(sha256sum ./${out} | awk '{print $1}') + actual=$(sha256sum "./${out}" | awk '{print $1}') + elif command -v shasum &>/dev/null; then + actual=$(shasum -a 256 "./${out}" | awk '{print $1}') else - actual=$(shasum -a 256 ./${out} | awk '{print $1}') + echo "::warning::No sha256 tool available, skipping checksum verification" + actual="${expected}" fi if [[ "${expected}" != "${actual}" ]]; then echo "::error::Checksum mismatch for chainctl: expected ${expected}, got ${actual}" From 4079344d3188e8d7664208de84a77f525fb799ca Mon Sep 17 00:00:00 2001 From: antitree Date: Fri, 27 Mar 2026 11:04:31 -0400 Subject: [PATCH 3/4] fix: use PowerShell Get-FileHash for Windows checksum verification Address egibs review: use PowerShell Get-FileHash on Windows instead of warning/skipping. Now errors if no hash tool is available on any platform. Ref: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash Co-Authored-By: Claude Opus 4.6 (1M context) --- action.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/action.yaml b/action.yaml index ed58dab..4a2c20a 100644 --- a/action.yaml +++ b/action.yaml @@ -139,9 +139,11 @@ runs: actual=$(sha256sum "./${out}" | awk '{print $1}') elif command -v shasum &>/dev/null; then actual=$(shasum -a 256 "./${out}" | awk '{print $1}') + elif command -v powershell &>/dev/null; then + actual=$(powershell -Command "(Get-FileHash -Algorithm SHA256 './${out}').Hash.ToLower()") else - echo "::warning::No sha256 tool available, skipping checksum verification" - actual="${expected}" + echo "::error::No sha256 tool available (tried sha256sum, shasum, PowerShell Get-FileHash)" + exit 1 fi if [[ "${expected}" != "${actual}" ]]; then echo "::error::Checksum mismatch for chainctl: expected ${expected}, got ${actual}" From a57a91af0728635aba5355b256f0b57beeb5a601 Mon Sep 17 00:00:00 2001 From: antitree Date: Tue, 7 Apr 2026 15:31:17 -0400 Subject: [PATCH 4/4] =?UTF-8?q?fix:=20address=20review=20feedback=20?= =?UTF-8?q?=E2=80=94=20Move=20'((=20inputs.environment=20))'=20into=20an?= =?UTF-8?q?=20'env:'=20block=20for=20the=20step=20(e.g.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- action.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/action.yaml b/action.yaml index 4a2c20a..c6384eb 100644 --- a/action.yaml +++ b/action.yaml @@ -95,6 +95,7 @@ runs: shell: bash env: CURL_RETRY_ALL_ERRORS: ${{ inputs.retry-all-errors }} + ENVIRONMENT: ${{ inputs.environment }} run: | cd $(mktemp -d) @@ -112,7 +113,7 @@ runs: arch="arm64" fi - url="https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_${os}_${arch}" + url="https://dl.${ENVIRONMENT}/chainctl/latest/chainctl_${os}_${arch}" out="chainctl" if [[ "${os}" == "windows" ]]; then url="${url}.exe" @@ -127,7 +128,7 @@ runs: fi # Verify chainctl binary checksum - checksums_url="https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_checksums.txt" + checksums_url="https://dl.${ENVIRONMENT}/chainctl/latest/chainctl_checksums.txt" echo "Downloading checksums from ${checksums_url}" curl -o checksums.txt -fsL --retry 3 --retry-delay 1 "${checksums_url}" expected=$(grep "chainctl_${os}_${arch}" checksums.txt | awk '{print $1}') @@ -237,4 +238,4 @@ runs: name: Install Python keyring package shell: bash run: | - python -m pip install "keyrings-chainguard-libraries==0.2.0" + python -m pip install "keyrings-chainguard-libraries==0.2.0" \ No newline at end of file