Skip to content

fix(install): make checksum verification mandatory and validate redirect origin#724

Merged
drew merged 2 commits intomainfrom
590-install-mandatory-checksum/an
Apr 1, 2026
Merged

fix(install): make checksum verification mandatory and validate redirect origin#724
drew merged 2 commits intomainfrom
590-install-mandatory-checksum/an

Conversation

@drew
Copy link
Copy Markdown
Collaborator

@drew drew commented Apr 1, 2026

Summary

Make all checksum verification paths in install.sh hard failures instead of silent warnings, and validate the redirect URL origin when resolving the latest release.

Related Issue

Closes #590
Closes #638

Changes

  • Mandatory checksums file download: Failing to download the checksums file is now a fatal error instead of a warning that skips verification
  • Mandatory hash tool: If neither shasum nor sha256sum is available, the script aborts instead of silently skipping verification
  • Mandatory checksum entry: If the checksums file doesn't contain an entry for the downloaded filename, the script aborts instead of skipping
  • Redirect origin validation: After following the GitHub releases/latest redirect, the resolved URL is validated against https://github.com/NVIDIA/OpenShell/releases/* to prevent MITM/DNS hijack attacks where an attacker could serve both a malicious binary and a matching checksums file

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@drew
fix(install): make checksum verification mandatory and validate redir…
777a37e 
…ect origin

Checksum verification in install.sh previously had multiple silent bypass
paths: missing sha256sum/shasum binary, missing checksums file download,
and missing checksum entry. All three now produce hard errors instead of
warnings.

Additionally, validate the redirect URL from GitHub releases/latest
against the expected github.com/NVIDIA/OpenShell origin to prevent
MITM/DNS hijack attacks where an attacker could serve both a malicious
binary and a matching checksums file.

Closes #590
Closes #638
@drew drew requested a review from a team as a code owner April 1, 2026 16:50
@drew drew self-assigned this Apr 1, 2026
@drew
fix(install): use fixed-string grep and limit redirect hops in downloads
42fb5d4 
Use grep -F for checksum lookup to prevent regex metacharacters in
filenames (e.g. dots) from matching unintended lines.

Limit redirect hops to 5 in download() as defense-in-depth against
redirect loops or redirect-based attacks.
@drew drew merged commit 2a4cf91 into main Apr 1, 2026
13 checks passed
@drew drew deleted the 590-install-mandatory-checksum/an branch April 1, 2026 20:34
This was referenced Apr 1, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pimlock pimlock pimlock approved these changes

Assignees

@drew drew

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@drew @pimlock