Skip to content

[FR] Verify SHA256 checksum of downloaded binary in install.sh / install.ps1 #40

Description

@chirag127

Use case

One-line installers pipe an untrusted binary to /usr/local/bin (Linux/macOS) or user PATH (Windows) with no integrity check. A compromised GitHub release, MITM on the redirect, or CDN cache poisoning would silently install a bad binary — high-impact for a tool that then acts on the user's GitHub token.

Proposal

Publish SHA256SUMS (or per-binary .sha256) alongside release assets. In install.sh:30 and install.ps1:13, download the checksum file and verify with sha256sum -c / Get-FileHash -Algorithm SHA256 before chmod +x / PATH-add. Fail closed on mismatch.

Existing art

rustup-init, deno, uv, and starship installers all verify SHA256 before running the binary.

Not a bug caveat

Current behavior is unsafe-by-design, not broken; this is a hardening request.

Thanks for maintaining tang-vu/ContribAI!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions