Skip to content

feat(security): verify binary SHA-256 checksum on download (B5) #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
beonde merged 2 commits into from
Mar 27, 2026
Merged

feat(security): verify binary SHA-256 checksum on download (B5) #39

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e0d6f4c
feat(security): verify binary SHA-256 checksum on download (B5)
beonde Mar 27, 2026
5e649f6
fix: resolve TS2322 undefined-to-null type mismatch
beonde Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions src/utils/binary-manager.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import fs from 'fs';
import path from 'path';
import os from 'os';
import crypto from 'crypto';
import axios from 'axios';
import { promisify } from 'util';
import stream from 'stream';
Expand Down Expand Up @@ -124,6 +125,9 @@ export class BinaryManager {
const writer = fs.createWriteStream(tempFilePath);
await pipeline(response.data, writer);

// Verify checksum integrity
await this.verifyChecksum(tempFilePath, assetName);

Comment on lines +128 to +130
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If verifyChecksum throws (e.g., checksum mismatch), the temp directory created for the download is not cleaned up because cleanup only happens after the copy step. Consider scoping tempDir/tempFilePath outside the try block and using a finally to rmSync(tempDir, { recursive: true, force: true }) on both success and failure.

Copilot uses AI. Check for mistakes.
// Move to install dir
// We rename it to capiscio-core (or .exe) for internal consistency
fs.copyFileSync(tempFilePath, this.binaryPath);
Expand Down Expand Up @@ -156,6 +160,44 @@ export class BinaryManager {
}
}

private async verifyChecksum(filePath: string, assetName: string): Promise<void> {
const checksumsUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${VERSION}/checksums.txt`;

let expectedHash: string | null = null;
try {
const resp = await axios.get(checksumsUrl, { timeout: 30000 });
const lines = (resp.data as string).trim().split('\n');
for (const line of lines) {
const parts = line.trim().split(/\s+/);
if (parts.length === 2 && parts[1] === assetName) {
expectedHash = parts[0] ?? null;
break;
}
}
} catch {
console.warn('Warning: Could not fetch checksums.txt. Skipping integrity verification.');
return;
}

if (!expectedHash) {
console.warn(`Warning: Asset ${assetName} not found in checksums.txt. Skipping verification.`);
return;
}

const fileBuffer = fs.readFileSync(filePath);
const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex');
Comment on lines +187 to +188
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verifyChecksum reads the entire downloaded binary into memory with fs.readFileSync just to hash it; this can be expensive for larger release assets and blocks the event loop. Prefer computing the SHA-256 via a read stream (e.g., fs.createReadStream) and updating the hash incrementally.

Suggested change
const fileBuffer = fs.readFileSync(filePath);
const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex');
const hash = crypto.createHash('sha256');
await pipeline(fs.createReadStream(filePath), hash);
const actualHash = hash.digest('hex');

Copilot uses AI. Check for mistakes.

if (actualHash !== expectedHash) {
// Remove the tampered file
fs.unlinkSync(filePath);
throw new Error(
`Binary integrity check failed for ${assetName}. ` +
`Expected SHA-256: ${expectedHash}, got: ${actualHash}. ` +
'The downloaded file does not match the published checksum.'
);
}
}
Comment on lines +163 to +199
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checksum verification introduces new security-critical behavior (successful verification, mismatch error + deletion, and fallback when checksums.txt is missing), but there are no unit tests asserting these paths. Since this repo already has BinaryManager install tests, please add coverage by mocking axios.get for both the binary and checksums.txt, and mocking fs.readFileSync/hashing to simulate match/mismatch.

Copilot uses AI. Check for mistakes.

private getPlatform(): string {
const platform = os.platform();
switch (platform) {
Expand Down
Loading