Feat: Checksum validation #22
Description
Currently, packages can be published and subsequently modified without any repercussions. This is great for flexibility but poses an issue with regards to security and tampering.
Who's to say one could grab a GitHub token and commit a malicious header or a crypto mining bot in a binary? With how lax security is in the Quest community (analyzhing and auditing binaries is hard to do so itself), this can cause major issues in the future.
Proposal: Add checksum validation in QPM-Rust. Here's a few options we could explore:
- Backends such as
qpackages||(and any future ones for that matter)|| could provide a checksum endpoint which is immutable after a package is published. This checksum could be used to validate both binaries and possibly the repo itself, though the latter being a more technical challenge. - Calculate the checksum on download and store it in
qpm.shared.json(which should now be comitted in every repo). This poses an issue if someone were to be using a locally installed package with conflicting versions, say a PinkCore dev build for updating to 1.28. - Use the GitHub API for determining the checksum, as it's provided both by the git commit hash and GitHub's REST API. This however does not address the fundamental flaw related to binaries though, since they can be reuploaded.
Maybe a combination of all these 3 solutions could be ideal, though it is up for discussion.
The following would occur if a checksum would be invalid for whatever reason:
- In CI: throw an error, this is not a bug and should not be allowed. Since CI is commonly used for tests, regression and even releasing mods, it could be dangerous if abused by modified binaries.
- Locally: Warn the user that the binary has been modified and display both checksums.