babashka

2025-07-02T20:10:30.670159Z

Idea: the babashka installer could infer --checksum values from .sha256 files on GitHub releases to improve download integrity.

borkdude 2025-07-02T20:21:51.130279Z

do you mean the install script? it already does I believe

borkdude 2025-07-02T20:22:38.378919Z

if has sha256sum; then
    sha256sum_cmd="sha256sum"
elif has shasum; then
    sha256sum_cmd="shasum -a 256"
else
    >&2 echo "Either 'sha256sum' or 'shasum' needs to be on PATH for '--checksum' flag!"
    >&2 echo "Exiting..."
    exit 1
fi

# Running this part in a subshell so when it finishes we go back to the previous directory
mkdir -p "$download_dir" && (
    cd "$download_dir"
    echo -e "Downloading $download_url to $download_dir"

    fetch "$download_url" "$filename"
    if [[ -n "$checksum" ]]; then
        if ! echo "$checksum *$filename" | $sha256sum_cmd --check --status; then
            >&2 echo "Failed checksum on $filename"
            >&2 echo "Got: $(shasum -a 256 "$filename" | cut -d' ' -f1)"
            >&2 echo "Expected: $checksum"
            exit 1
        fi
    fi
    $util "$filename"
    rm -f "$filename"
)

borkdude 2025-07-02T20:23:12.282259Z

I guess only if you use the --checksum flag

2025-07-02T20:26:52.303569Z

Yeah I think there's an opportunity to improve download integrity without user intervention.

2025-07-02T20:27:21.500369Z

I don't think the installer goes and looks for a sha256 on github releases.

borkdude 2025-07-02T20:29:33.433249Z

What exactly do you mean with "the installer"? I just explained that the install script checks if you enable the check with --checksum

2025-07-03T04:25:08.243969Z

My idea is that if --checksum is not provided, install finds the relevant checksum automatically:

if [[ -z "$checksum" ]]; then
  sha256_url=""
  fetch "$sha256_url" "$filename.sha256"
  checksum=$(cat "$filename.sha256")
fi

borkdude 2025-07-04T18:26:02.921219Z

@ambrosebs now I get what you mean

borkdude 2025-07-04T18:26:08.503209Z

yeah I think that's a good addition

2025-07-05T06:17:58.935089Z

nice, I'll follow up with a pr when I submit a similar change to clojure's linux-install.sh.

hrtmt brng 2025-07-07T05:08:55.742689Z

Normally you verify the checksum if your file is from an untrusted source. What is the point of verifying the checksum if the file and the checksum come from the same source?

2025-07-07T22:32:14.021349Z

to check file integrity (not provenance)

2025-07-07T22:39:29.747439Z

we already trust github releases without the --checksum flag, so this would add an extra check that the file we downloaded wasn't corrupted based on that premise.

2025-07-07T22:43:32.268619Z

for those that have checksums that prove provenance, they can supply their own. tho I'm not sure how you'd find those at the moment. once we have a general way of verifying the provenance of a checksum, we can use that here too.

2025-07-07T22:56:09.702369Z

my hope is this would be a small improvement on the road towards signed/reproducible/attestable babashka builds (long term). not a destination.