Skip to content

Add SHA256 checksum verification for install and update#7

Merged
axeldelafosse merged 2 commits intomainfrom
pr/checksum-update-no-workflow
Feb 22, 2026
Merged

Add SHA256 checksum verification for install and update#7
axeldelafosse merged 2 commits intomainfrom
pr/checksum-update-no-workflow

Conversation

@axeldelafosse
Copy link
Copy Markdown
Owner

@axeldelafosse axeldelafosse commented Feb 22, 2026
edited
Loading

Summary

  • Add SHA256 checksum verification to the install and update flows.
  • Verify checksums for downloaded artifacts before continuing.
  • Update installer/update behavior and tests to enforce checksum validation.
  • Keep behavior backwards compatible while failing fast on verification mismatches.

Testing

  • Existing/updated tests in this PR cover checksum validation for install and update paths.

@axeldelafosse
Add SHA256 checksum verification for install and update
5445d26 
- Generate and upload .sha256 files in the release workflow
- Make checksum verification mandatory in update.ts (reject unverified binaries)
- Add checksum verification to install.sh
- Update tests to expect errors on missing/mismatched checksums
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist bot commented Feb 22, 2026

Summary of Changes

Hello @axeldelafosse, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the application's installation and update procedures. By integrating SHA256 checksum verification, it ensures that all downloaded binaries are untampered and originate from trusted sources. This change moves from a warning-based approach to a strict enforcement model, preventing the installation of potentially compromised or unverified software components, thereby bolstering the overall system integrity.

Highlights

  • Enhanced Security for Installations: Implemented SHA256 checksum verification for both the install.sh script and the src/loop/update.ts update process, ensuring the integrity and authenticity of downloaded binaries.
  • Strict Checksum Enforcement: Modified the update mechanism to strictly require SHA256 checksums. If a checksum file is unavailable or verification fails, the update process will now explicitly fail and refuse to install the unverified binary, rather than merely issuing a warning.
  • Robust Error Handling: Improved error propagation in the update command handler, ensuring that any failures during the update process, including checksum mismatches, result in a thrown error.
  • Comprehensive Test Coverage: Updated and expanded unit tests for the update functionality to cover scenarios with matching, mismatched, and missing checksums, validating the new security measures and error handling.
Changelog
  • install.sh
    • Added SHA256 checksum download and verification logic for installed binaries.
    • Implemented checks for shasum or sha256sum tools to perform verification.
    • Introduced error handling to exit if checksum download fails or verification produces a mismatch.
    • Included a warning and fallback if no SHA256 tool is found on the system.
  • src/loop/update.ts
    • Changed behavior from logging a warning to throwing an error when no .sha256 checksum is available for a binary, refusing installation.
    • Modified the handleManualUpdateCommand to re-throw errors caught during the update process, ensuring failures are propagated.
  • tests/loop/update.test.ts
    • Introduced binaryData and expectedHash variables for consistent test data.
    • Updated fetchMock to simulate the availability and download of .sha256 checksum files.
    • Expanded assertions in the 'update verifies matching checksum' test to check staged binary content, metadata, and absence of error logs.
    • Modified the 'update rejects mismatched checksum' test to expect a thrown error and verify that no files are staged.
    • Renamed the 'update warns when no checksum available' test to 'update rejects when no checksum available' to reflect the new strict behavior.
    • Updated the 'update rejects when no checksum available' test to expect a thrown error and confirm that no files are staged.
Activity
  • The pull request was created by axeldelafosse.
  • The pull request introduces SHA256 checksum verification for install and update processes.
  • Tests for installer/update and source checks were updated to reflect the new verification logic.
  • A workflow change was omitted from this PR due to GitHub token scope limitations.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@axeldelafosse axeldelafosse force-pushed the pr/checksum-update-no-workflow branch from addf662 to 5445d26 Compare February 22, 2026 18:34
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 22, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly improves security by introducing SHA256 checksum verification for both the installation script and the in-app update mechanism. However, two critical vulnerabilities have been identified: the install.sh script's checksum verification can be bypassed if hashing tools are not present, and a Time-of-check to Time-of-use (TOCTOU) vulnerability exists in the update.ts logic, potentially allowing a local attacker to replace the staged binary before installation. Addressing these issues is crucial to fully harden the update process.

Comment thread install.sh Outdated
@axeldelafosse axeldelafosse merged commit a5f96c1 into main Feb 22, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@axeldelafosse