Skip to content

sec(installer): add checksum verification and archive extraction safeguards #87

New issue
New issue
Closed
#97
Closed
sec(installer): add checksum verification and archive extraction safeguards#87
#97
Labels
securitySecurity-related issues and improvements
@CalvinAllen

Description

@CalvinAllen
CalvinAllen
opened on Dec 11, 2025

Add SHA256 checksum verification to installers before archive extraction.

Current State

  • ✅ ZipSlip/path traversal protection already implemented in src/internal/download/extract.go
  • ❌ No checksum verification in install.sh or install.ps1

Remaining Work

Release Process

  • Generate SHA256 checksums for all release archives during CI build
  • Publish CHECKSUMS.sha256 file alongside release artifacts

Installer Updates

  • install.sh: Download and verify checksum before extraction
  • install.ps1: Download and verify checksum before extraction
  • Abort installation if checksum is missing or doesn't match
  • Use secure temp directories for downloads

Documentation

  • Update install instructions to mention verification
  • Document manual verification steps for security-conscious users

Acceptance Criteria

  • Installers always verify archive integrity before extracting
  • Installation aborts if checksum is missing or doesn't match
  • Extraction prevents absolute paths/parent traversal (already done)

Security Impact

High - Prevents supply chain attacks via compromised downloads.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issues and improvements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions