Use case
One-line installers pipe an untrusted binary to /usr/local/bin (Linux/macOS) or user PATH (Windows) with no integrity check. A compromised GitHub release, MITM on the redirect, or CDN cache poisoning would silently install a bad binary — high-impact for a tool that then acts on the user's GitHub token.
Proposal
Publish SHA256SUMS (or per-binary .sha256) alongside release assets. In install.sh:30 and install.ps1:13, download the checksum file and verify with sha256sum -c / Get-FileHash -Algorithm SHA256 before chmod +x / PATH-add. Fail closed on mismatch.
Existing art
rustup-init, deno, uv, and starship installers all verify SHA256 before running the binary.
Not a bug caveat
Current behavior is unsafe-by-design, not broken; this is a hardening request.
Thanks for maintaining tang-vu/ContribAI!
Use case
One-line installers pipe an untrusted binary to
/usr/local/bin(Linux/macOS) or user PATH (Windows) with no integrity check. A compromised GitHub release, MITM on the redirect, or CDN cache poisoning would silently install a bad binary — high-impact for a tool that then acts on the user's GitHub token.Proposal
Publish
SHA256SUMS(or per-binary.sha256) alongside release assets. Ininstall.sh:30andinstall.ps1:13, download the checksum file and verify withsha256sum -c/Get-FileHash -Algorithm SHA256beforechmod +x/ PATH-add. Fail closed on mismatch.Existing art
rustup-init, deno, uv, and starship installers all verify SHA256 before running the binary.
Not a bug caveat
Current behavior is unsafe-by-design, not broken; this is a hardening request.
Thanks for maintaining tang-vu/ContribAI!