Fix checksum verification for dependencies in mix.lock

Checksum verification was not being performed due to a type mismatch
in pattern matching. Comparing atom-based names against string-based
lock data caused the verification to be silently skipped.

Fixes: GHSA-hmv9-4mfr-m92v
Fixes: CVE-2026-32148

Co-authored-by: Jonatan Männchen <jonatan@maennchen.ch>
Co-authored-by: Eric Meadows-Jönsson <eric.meadows.jonsson@gmail.com>

Author: ericmj

lib/hex/remote_converger.ex

@@ -569,10 +569,8 @@ defmodule Hex.RemoteConverger do
 
   defp verify_resolved(resolved, lock) do
     Enum.each(resolved, fn {repo, name, app, version} ->
-      atom_name = String.to_atom(name)
-
       case Hex.Utils.lock(lock[String.to_atom(app)]) do
-        %{name: ^atom_name, version: ^version, repo: ^repo} = lock ->
+        %{name: ^name, version: ^version, repo: ^repo} = lock ->
           verify_inner_checksum(repo, name, version, lock.inner_checksum)
           verify_outer_checksum(repo, name, version, lock.outer_checksum)
           verify_deps(repo, name, version, lock.deps)
@@ -599,14 +597,16 @@ defmodule Hex.RemoteConverger do
     end
   end
 
+  defp verify_deps(repo, name, version, deps)
   defp verify_deps(nil, _name, _version, _deps), do: :ok
+  defp verify_deps(_repo, _name, _version, nil), do: []
 
   defp verify_deps(repo, name, version, deps) do
     # TODO: Use requests?
     deps =
       Enum.map(deps, fn {app, req, opts} ->
         %{
-          repo: opts[:repo],
+          repo: if(opts[:repo] != "hexpm", do: opts[:repo]),
           name: opts[:hex],
           constraint: Hex.Solver.parse_constraint!(req),
           optional: !!opts[:optional],

test/hex/remote_converger_test.exs

@@ -198,4 +198,54 @@ defmodule Hex.RemoteConvergerTest do
       refute_received {:mix_shell, :yes?, _}
     end)
   end
+
+  defmodule ChecksumIntegrity.MixProject do
+    def project do
+      [
+        app: :checksum_integrity,
+        version: "0.1.0",
+        deps: [
+          {:ex_doc, "~> 0.1.0"}
+        ]
+      ]
+    end
+  end
+
+  test "raises on checksum mismatch in mix.lock" do
+    in_tmp(fn ->
+      Mix.Project.push(ChecksumIntegrity.MixProject)
+
+      # First, get dependencies normally to create a valid lock file
+      :ok = Mix.Tasks.Deps.Get.run([])
+
+      # Read the lock file
+      lock = Mix.Dep.Lock.read()
+      {:hex, name, version, inner_checksum, managers, deps, repo, outer_checksum} = lock[:ex_doc]
+
+      assert_checksum_mismatch(%{
+        ex_doc:
+          {:hex, name, version, invalid_checksum(inner_checksum), managers, deps, repo,
+           outer_checksum}
+      })
+
+      assert_checksum_mismatch(%{
+        ex_doc:
+          {:hex, name, version, inner_checksum, managers, deps, repo,
+           invalid_checksum(outer_checksum)}
+      })
+    end)
+  end
+
+  defp assert_checksum_mismatch(lock) do
+    File.write!("mix.lock", inspect(lock, limit: :infinity, pretty: true))
+    Mix.Task.clear()
+
+    # The bug causes this to silently pass and rewrite the lock file with correct checksums
+    assert_raise Mix.Error, ~r/Registry checksum mismatch against lock/, fn ->
+      Mix.Tasks.Deps.Get.run([])
+    end
+  end
+
+  defp invalid_checksum("0" <> rest), do: "1" <> rest
+  defp invalid_checksum(<<_::binary-size(1), rest::binary>>), do: "0" <> rest
 end