Idea: the babashka installer could infer --checksum values from .sha256 files on GitHub releases to improve download integrity.
do you mean the install script? it already does I believe
if has sha256sum; then
sha256sum_cmd="sha256sum"
elif has shasum; then
sha256sum_cmd="shasum -a 256"
else
>&2 echo "Either 'sha256sum' or 'shasum' needs to be on PATH for '--checksum' flag!"
>&2 echo "Exiting..."
exit 1
fi
# Running this part in a subshell so when it finishes we go back to the previous directory
mkdir -p "$download_dir" && (
cd "$download_dir"
echo -e "Downloading $download_url to $download_dir"
fetch "$download_url" "$filename"
if [[ -n "$checksum" ]]; then
if ! echo "$checksum *$filename" | $sha256sum_cmd --check --status; then
>&2 echo "Failed checksum on $filename"
>&2 echo "Got: $(shasum -a 256 "$filename" | cut -d' ' -f1)"
>&2 echo "Expected: $checksum"
exit 1
fi
fi
$util "$filename"
rm -f "$filename"
)I guess only if you use the --checksum flag
Yeah I think there's an opportunity to improve download integrity without user intervention.
I don't think the installer goes and looks for a sha256 on github releases.
What exactly do you mean with "the installer"? I just explained that the install script checks if you enable the check with --checksum
My idea is that if --checksum is not provided, install finds the relevant checksum automatically:
if [[ -z "$checksum" ]]; then
sha256_url=""
fetch "$sha256_url" "$filename.sha256"
checksum=$(cat "$filename.sha256")
fi @ambrosebs now I get what you mean
yeah I think that's a good addition
nice, I'll follow up with a pr when I submit a similar change to clojure's linux-install.sh.
Normally you verify the checksum if your file is from an untrusted source. What is the point of verifying the checksum if the file and the checksum come from the same source?
to check file integrity (not provenance)
we already trust github releases without the --checksum flag, so this would add an extra check that the file we downloaded wasn't corrupted based on that premise.
for those that have checksums that prove provenance, they can supply their own. tho I'm not sure how you'd find those at the moment. once we have a general way of verifying the provenance of a checksum, we can use that here too.
my hope is this would be a small improvement on the road towards signed/reproducible/attestable babashka builds (long term). not a destination.