Add SHA1 validation for cached prebuilt iOS binaries

Fetches the .sha1 checksum from Maven for each downloaded tarball
and validates file integrity at two points:

1. When reading from the shared cache: if the cached file's SHA1
   doesn't match Maven's, it is treated as corrupted and
   re-downloaded, replacing the stale cache entry.
2. After a fresh download: validates the download succeeded
   correctly before saving to the shared cache. If verification
   fails, the file is not cached (but still used locally, as
   CocoaPods will re-extract it).

If Maven doesn't serve a .sha1 for a given artifact (e.g. some
nightly builds), validation is skipped gracefully.

Author: cipolleschi

packages/react-native/scripts/cocoapods/rncore.rb

@@ -6,6 +6,7 @@
 require 'json'
 require 'net/http'
 require 'rexml/document'
+require 'digest'
 
 require_relative './utils.rb'
 
@@ -409,6 +410,27 @@ def self.shared_cache_dir()
         return File.join(Dir.home, "Library", "Caches", "ReactNative")
     end
 
+    def self.fetch_maven_sha1(tarball_url)
+        sha1 = `curl -sL "#{tarball_url}.sha1"`.strip
+        return sha1.downcase if $?.success? && sha1.match?(/\A[a-fA-F0-9]{40}\z/)
+        nil
+    end
+
+    def self.validate_tarball(path, tarball_url)
+        expected_sha1 = fetch_maven_sha1(tarball_url)
+        if expected_sha1.nil?
+          rncore_log("SHA1 not available from Maven for #{File.basename(path)}. Skipping validation.")
+          return true
+        end
+        actual_sha1 = Digest::SHA1.file(path).hexdigest
+        if actual_sha1 == expected_sha1
+          rncore_log("SHA1 verified for #{File.basename(path)}")
+          return true
+        end
+        rncore_log("SHA1 mismatch for #{File.basename(path)}: expected #{expected_sha1}, got #{actual_sha1}", :error)
+        return false
+    end
+
     def self.download_rncore_tarball(react_native_path, tarball_url, version, configuration, dsyms = false)
         filename = configuration == nil ?
             "reactnative-core-#{version}#{dsyms ? "-dSYM" : ""}.tar.gz" :
@@ -423,18 +445,26 @@ def self.download_rncore_tarball(react_native_path, tarball_url, version, config
         `mkdir -p "#{artifacts_dir()}"`
 
         cached_path = File.join(shared_cache_dir(), filename)
-        if File.exist?(cached_path)
+        if File.exist?(cached_path) && validate_tarball(cached_path, tarball_url)
           rncore_log("Cache hit: copying #{filename} from shared cache (#{shared_cache_dir()})")
           FileUtils.cp(cached_path, destination_path)
         else
-          rncore_log("Cache miss: downloading #{filename} from #{tarball_url}")
+          if File.exist?(cached_path)
+            rncore_log("Shared cache file #{filename} failed SHA verification. Re-downloading.")
+          else
+            rncore_log("Cache miss: downloading #{filename} from #{tarball_url}")
+          end
           # Download to a temporary file first so we don't cache incomplete downloads.
           tmp_file = "#{artifacts_dir()}/reactnative-core.download"
           `curl "#{tarball_url}" -Lo "#{tmp_file}" && mv "#{tmp_file}" "#{destination_path}"`
-          # Save to shared cache for future use
-          `mkdir -p "#{shared_cache_dir()}"`
-          FileUtils.cp(destination_path, cached_path)
-          rncore_log("Saved #{filename} to shared cache (#{shared_cache_dir()})")
+          if validate_tarball(destination_path, tarball_url)
+            # Save to shared cache for future use
+            `mkdir -p "#{shared_cache_dir()}"`
+            FileUtils.cp(destination_path, cached_path)
+            rncore_log("Saved #{filename} to shared cache (#{shared_cache_dir()})")
+          else
+            rncore_log("Downloaded file #{filename} failed SHA verification!", :error)
+          end
         end
 
         return destination_path

packages/react-native/scripts/cocoapods/rndependencies.rb

@@ -6,6 +6,7 @@
 require "json"
 require 'net/http'
 require 'rexml/document'
+require 'digest'
 
 require_relative './utils.rb'
 
@@ -235,6 +236,27 @@ def self.shared_cache_dir()
         return File.join(Dir.home, "Library", "Caches", "ReactNative")
     end
 
+    def self.fetch_maven_sha1(tarball_url)
+        sha1 = `curl -sL "#{tarball_url}.sha1"`.strip
+        return sha1.downcase if $?.success? && sha1.match?(/\A[a-fA-F0-9]{40}\z/)
+        nil
+    end
+
+    def self.validate_tarball(path, tarball_url)
+        expected_sha1 = fetch_maven_sha1(tarball_url)
+        if expected_sha1.nil?
+          rndeps_log("SHA1 not available from Maven for #{File.basename(path)}. Skipping validation.")
+          return true
+        end
+        actual_sha1 = Digest::SHA1.file(path).hexdigest
+        if actual_sha1 == expected_sha1
+          rndeps_log("SHA1 verified for #{File.basename(path)}")
+          return true
+        end
+        rndeps_log("SHA1 mismatch for #{File.basename(path)}: expected #{expected_sha1}, got #{actual_sha1}", :error)
+        return false
+    end
+
     def self.download_rndeps_tarball(react_native_path, tarball_url, version, configuration)
         filename = configuration == nil ?
             "reactnative-dependencies-#{version}.tar.gz" :
@@ -249,18 +271,26 @@ def self.download_rndeps_tarball(react_native_path, tarball_url, version, config
         `mkdir -p "#{artifacts_dir()}"`
 
         cached_path = File.join(shared_cache_dir(), filename)
-        if File.exist?(cached_path)
+        if File.exist?(cached_path) && validate_tarball(cached_path, tarball_url)
           rndeps_log("Cache hit: copying #{filename} from shared cache (#{shared_cache_dir()})")
           FileUtils.cp(cached_path, destination_path)
         else
-          rndeps_log("Cache miss: downloading #{filename} from #{tarball_url}")
+          if File.exist?(cached_path)
+            rndeps_log("Shared cache file #{filename} failed SHA verification. Re-downloading.")
+          else
+            rndeps_log("Cache miss: downloading #{filename} from #{tarball_url}")
+          end
           # Download to a temporary file first so we don't cache incomplete downloads.
           tmp_file = "#{artifacts_dir()}/reactnative-dependencies.download"
           `curl "#{tarball_url}" -Lo "#{tmp_file}" && mv "#{tmp_file}" "#{destination_path}"`
-          # Save to shared cache for future use
-          `mkdir -p "#{shared_cache_dir()}"`
-          FileUtils.cp(destination_path, cached_path)
-          rndeps_log("Saved #{filename} to shared cache (#{shared_cache_dir()})")
+          if validate_tarball(destination_path, tarball_url)
+            # Save to shared cache for future use
+            `mkdir -p "#{shared_cache_dir()}"`
+            FileUtils.cp(destination_path, cached_path)
+            rndeps_log("Saved #{filename} to shared cache (#{shared_cache_dir()})")
+          else
+            rndeps_log("Downloaded file #{filename} failed SHA verification!", :error)
+          end
         end
 
         return destination_path

packages/react-native/sdks/hermes-engine/hermes-utils.rb

@@ -3,6 +3,8 @@
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 
+require 'digest'
+
 HERMES_GITHUB_URL = "https://github.com/facebook/hermes.git"
 ENV_BUILD_FROM_SOURCE = "RCT_BUILD_HERMES_FROM_SOURCE"
 
@@ -210,6 +212,27 @@ def shared_cache_dir()
     return File.join(Dir.home, "Library", "Caches", "ReactNative")
 end
 
+def fetch_maven_sha1(tarball_url)
+    sha1 = `curl -sL "#{tarball_url}.sha1"`.strip
+    return sha1.downcase if $?.success? && sha1.match?(/\A[a-fA-F0-9]{40}\z/)
+    nil
+end
+
+def validate_tarball(path, tarball_url)
+    expected_sha1 = fetch_maven_sha1(tarball_url)
+    if expected_sha1.nil?
+      hermes_log("SHA1 not available from Maven for #{File.basename(path)}. Skipping validation.", :info)
+      return true
+    end
+    actual_sha1 = Digest::SHA1.file(path).hexdigest
+    if actual_sha1 == expected_sha1
+      hermes_log("SHA1 verified for #{File.basename(path)}", :info)
+      return true
+    end
+    hermes_log("SHA1 mismatch for #{File.basename(path)}: expected #{expected_sha1}, got #{actual_sha1}", :error)
+    return false
+end
+
 def download_hermes_tarball(react_native_path, tarball_url, version, configuration)
     filename = configuration == nil ?
         "hermes-ios-#{version}.tar.gz" :
@@ -224,18 +247,26 @@ def download_hermes_tarball(react_native_path, tarball_url, version, configurati
     `mkdir -p "#{artifacts_dir()}"`
 
     cached_path = File.join(shared_cache_dir(), filename)
-    if File.exist?(cached_path)
+    if File.exist?(cached_path) && validate_tarball(cached_path, tarball_url)
       hermes_log("Cache hit: copying #{filename} from shared cache (#{shared_cache_dir()})", :info)
       FileUtils.cp(cached_path, destination_path)
     else
-      hermes_log("Cache miss: downloading #{filename} from #{tarball_url}", :info)
+      if File.exist?(cached_path)
+        hermes_log("Shared cache file #{filename} failed SHA verification. Re-downloading.", :info)
+      else
+        hermes_log("Cache miss: downloading #{filename} from #{tarball_url}", :info)
+      end
       # Download to a temporary file first so we don't cache incomplete downloads.
       tmp_file = "#{artifacts_dir()}/hermes-ios.download"
       `curl "#{tarball_url}" -Lo "#{tmp_file}" && mv "#{tmp_file}" "#{destination_path}"`
-      # Save to shared cache for future use
-      `mkdir -p "#{shared_cache_dir()}"`
-      FileUtils.cp(destination_path, cached_path)
-      hermes_log("Saved #{filename} to shared cache (#{shared_cache_dir()})", :info)
+      if validate_tarball(destination_path, tarball_url)
+        # Save to shared cache for future use
+        `mkdir -p "#{shared_cache_dir()}"`
+        FileUtils.cp(destination_path, cached_path)
+        hermes_log("Saved #{filename} to shared cache (#{shared_cache_dir()})", :info)
+      else
+        hermes_log("Downloaded file #{filename} failed SHA verification!", :error)
+      end
     end
 
     return destination_path