From ba2d91fe07aa219a1270aebad246e85948cf3897 Mon Sep 17 00:00:00 2001
From: latenighthackathon <latenighthackathon@users.noreply.github.com>
Date: Sun, 29 Mar 2026 18:28:16 -0500
Subject: [PATCH] fix(install): make checksum verification mandatory

verify_checksum() previously warned and continued when sha256sum was
unavailable or the checksums file couldn't be downloaded. An attacker
who can manipulate the download could serve a binary without the
checksum file and have it silently installed.

Fail the installation if:
- sha256sum/shasum is not available
- checksums file cannot be downloaded
- filename not found in checksums file

Closes #590

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
---
 install.sh | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/install.sh b/install.sh
index cf29ba74..e7fdb085 100755
--- a/install.sh
+++ b/install.sh
@@ -183,8 +183,7 @@ verify_checksum() {
   _vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')"
 
   if [ -z "$_vc_expected" ]; then
-    warn "no checksum found for $_vc_filename, skipping verification"
-    return 0
+    error "no checksum found for $_vc_filename in checksums file"
   fi
 
   if has_cmd shasum; then
@@ -192,8 +191,7 @@ verify_checksum() {
   elif has_cmd sha256sum; then
     echo "$_vc_expected  $_vc_archive" | sha256sum -c --quiet 2>/dev/null
   else
-    warn "sha256sum/shasum not found, skipping checksum verification"
-    return 0
+    error "sha256sum or shasum is required to verify checksums"
   fi
 }
 
@@ -256,12 +254,11 @@ main() {
 
   # Verify checksum
   info "verifying checksum..."
-  if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
-    if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
-      error "checksum verification failed for ${_filename}"
-    fi
-  else
-    warn "could not download checksums file, skipping verification"
+  if ! download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
+    error "could not download checksums file from ${_checksums_url}"
+  fi
+  if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
+    error "checksum verification failed for ${_filename}"
   fi
 
   # Extract