Skip to content

feat(lib/store): verify download blob digest when moving to cache#641

Open
thijmv wants to merge 1 commit into
masterfrom
thijmv/download-digest-verification
Open

feat(lib/store): verify download blob digest when moving to cache#641
thijmv wants to merge 1 commit into
masterfrom
thijmv/download-digest-verification

Conversation

@thijmv

@thijmv thijmv commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR adds digest verification when downloading a blob through the CADownloadStore, before moving it to the cache. Previously, only the CRC32 of individual pieces was verified during download. The SHA256 of the assembled blob was never checked before being cached under its trusted digest, meaning a malicious peer could poison the cache with content that does not match the requested digest. This PR closes that gap by validating the SHA256 of a blob before the move.

Note that this change trades performance for security, as the digest of every blob must now be computed before moving it to the cache.

Digest validation can be opted out of via a dedicated SkipHashVerification flag, but this is not recommended.

Fixes #638.

@github-actions github-actions Bot added the size/m label Jul 2, 2026
@thijmv
thijmv force-pushed the thijmv/download-digest-verification branch from 8153ee8 to 908f36e Compare July 3, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Agent caches P2P blobs under a trusted sha256 digest after CRC32-only piece checks, never verifying the assembled content hash (cache poisoning)

1 participant