fix(security): add checksum verification for external binary downloads

[dumko2001]

Rationale

Downloading external binary assets without verification poses a security risk, as the assets could be tampered with during transit.

Changes

Integrated SHA-256 checksum verification into the asset download process to ensure the integrity of the downloaded binaries.

Verification Results

• Automated Tests: Passed all 52 core tests via npm test.
• Manual Audit: Verified that incorrect checksums trigger a failure.
• Security Review: Verified correct permission enforcement and integrity checks.

Leading Standards

This PR follows the project's 'First Principles' approach, prioritizing deterministic behavior and zero-trust security defaults.

Summary by CodeRabbit

• Bug Fixes

  • Installers now verify downloads with SHA-256 checksums and abort if verification tools are missing.
  • macOS Intel (x86_64) installs are explicitly blocked with a clear error message.
  • Download falls back to an alternate retrieval method if the primary download attempt fails.

• Chores

  • Installers now pin specific OpenShell and Cloudflared release versions and display those versions in install logs for reproducible installs.

[wscurran]

I've reviewed the changes and see that this PR improves security by integrating checksum verification into the asset download process, which should prevent tampering with downloaded binaries during transit.

[cv]

Hey @dumko2001, checksum verification for external downloads is exactly the kind of supply-chain hardening we want. Could you rebase this one onto the latest main? We've been shipping a lot of changes and need to see how it fits with the current code.

[coderabbitai]

📝 Walkthrough

Walkthrough

Install scripts now pin OpenShell CLI to v0.0.14 and Cloudflared to 2025.2.0, select architecture-specific SHA-256 values, attempt gh release download with a curl fallback, verify downloads with sha256sum or shasum -a 256, and abort on checksum or tool failures before installing.

Changes

Cohort / File(s)	Summary
OpenShell install scripts/install.sh, scripts/brev-setup.sh	Pin OpenShell CLI to v0.0.14; choose OS/arch-specific asset names and EXPECTED_SHA values; try gh release download for the pinned tag and fall back to curl; verify archive with sha256sum -c or shasum -a 256 -c; fail on missing checksum tools or mismatches.
Cloudflared install & URL scripts/brev-setup.sh	Pin Cloudflared to 2025.2.0; change download endpoint to releases/download/${CLOUDFLARED_VERSION}/...; set architecture-specific expected SHA-256 hashes; verify binary checksum before placing it into path.
OS/Arch & checksum logic scripts/... (both files)	Add per-OS/arch case branches, explicit handling/rejection for unsupported combos (e.g., macOS x86_64 for OpenShell), and unified checksum verification + abort paths.

Sequence Diagram(s)

sequenceDiagram
    participant User as "User / Installer Script"
    participant GH as "GitHub (gh release download)"
    participant HTTP as "HTTP (curl) fallback"
    participant Check as "Checksum tool\n(sha256sum / shasum)"
    participant Extract as "Extract & Install"

    User->>GH: Attempt `gh release download` for pinned tag
    alt gh download succeeds
        GH-->>User: Release artifact
    else gh download fails
        User->>HTTP: Curl download pinned release URL
        HTTP-->>User: Release artifact
    end
    User->>Check: Verify artifact with EXPECTED_SHA
    alt checksum matches
        Check-->>User: OK
        User->>Extract: Extract and install binary
        Extract-->>User: Installed
    else checksum fails or no tool
        Check-->>User: FAIL
        User-->>User: Abort installation
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through tagged-release land tonight,
I fetched with gh, then curled when it took flight,
I checked each SHA so no surprises creep,
I extracted, installed, then curled up to sleep,
A tiny rabbit guarding installs with delight 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security improvement: adding SHA-256 checksum verification to the external binary download process for both OpenShell and cloudflared.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

scripts/install.sh (2)

352-370: Consider: Skipping verification degrades security guarantees.

When neither sha256sum nor shasum is available, the script warns but continues with extraction. While this is pragmatic for edge cases, it contradicts the PR's "zero-trust security defaults" principle. Consider whether a hard failure is more appropriate, or at minimum add a prominent note in the warning.

💡 Option: fail instead of warn when verification cannot be performed

   else
-    warn "Neither sha256sum nor shasum found, skipping checksum verification"
+    fail "Neither sha256sum nor shasum found. Cannot verify download integrity."
   fi

Alternatively, if graceful degradation is intended, consider documenting this explicitly in the warning:

-    warn "sha256sum not found, skipping checksum verification"
+    warn "⚠️  SECURITY WARNING: Checksum verification skipped — neither sha256sum nor shasum available. Install one of these tools to ensure download integrity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/install.sh` around lines 352 - 370, The script currently proceeds to
extract the downloaded OpenShell asset when neither sha256sum nor shasum is
available (inside the checksum verification block using EXPECTED_SHA,
$tmpdir/$ASSET), which weakens the zero-trust default; update the checksum
branch so that if neither sha256sum nor shasum is present the script exits
non‑zero (use the same warn function to log a clear, prominent error referencing
the missing tools and OPENSHELL_VERSION and then exit 1) — alternatively, if you
intend to allow graceful degradation, change the warn call to a more prominent
notice that documents the security implication and require an explicit opt-in
environment variable (e.g., SKIP_CHECKSUM=1) before proceeding to the tar xzf
"$tmpdir/$ASSET" extraction.

---

361-368: Minor: Warning message could be more precise.

At line 367, both sha256sum and shasum are unavailable when this branch executes. The message could better reflect this.

✏️ Suggested clarification

-    warn "sha256sum not found, skipping checksum verification"
+    warn "Neither sha256sum nor shasum found, skipping checksum verification"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/install.sh` around lines 361 - 368, The warning is ambiguous when
neither checksum utility is present; update the warn call in the checksum
verification block (the branch that currently calls warn "sha256sum not found,
skipping checksum verification") to explicitly state that neither sha256sum nor
shasum was found and that checksum verification for EXPECTED_SHA against
$tmpdir/$ASSET is being skipped, referencing the variables EXPECTED_SHA, tmpdir
and ASSET so the message is precise and actionable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/install.sh`:
- Around line 327-330: Replace the placeholder SHA-1 in EXPECTED_SHA for the
macOS x86_64 case with the actual SHA-256 checksum of the
openshell-x86_64-apple-darwin.tar.gz release asset so checksum verification uses
a 64-character SHA-256 like the other branches; update the EXPECTED_SHA value in
the x86_64 case (where ASSET="openshell-x86_64-apple-darwin.tar.gz") to the
correct SHA-256 string and remove or update the "Placeholder for macOS" comment
accordingly.

---

Nitpick comments:
In `@scripts/install.sh`:
- Around line 352-370: The script currently proceeds to extract the downloaded
OpenShell asset when neither sha256sum nor shasum is available (inside the
checksum verification block using EXPECTED_SHA, $tmpdir/$ASSET), which weakens
the zero-trust default; update the checksum branch so that if neither sha256sum
nor shasum is present the script exits non‑zero (use the same warn function to
log a clear, prominent error referencing the missing tools and OPENSHELL_VERSION
and then exit 1) — alternatively, if you intend to allow graceful degradation,
change the warn call to a more prominent notice that documents the security
implication and require an explicit opt-in environment variable (e.g.,
SKIP_CHECKSUM=1) before proceeding to the tar xzf "$tmpdir/$ASSET" extraction.
- Around line 361-368: The warning is ambiguous when neither checksum utility is
present; update the warn call in the checksum verification block (the branch
that currently calls warn "sha256sum not found, skipping checksum verification")
to explicitly state that neither sha256sum nor shasum was found and that
checksum verification for EXPECTED_SHA against $tmpdir/$ASSET is being skipped,
referencing the variables EXPECTED_SHA, tmpdir and ASSET so the message is
precise and actionable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 82857277-4932-496d-ae3b-781a6e165843

📥 Commits

Reviewing files that changed from the base of the PR and between 255e606 and b2b763a.

📒 Files selected for processing (2)

• scripts/brev-setup.sh
• scripts/install.sh

[cv]

Thanks for the contribution @dumko2001 — checksum verification for external downloads is a welcome security improvement.

A few things to address before this is ready to merge:

Stale version pin: The PR pins OpenShell to v0.0.8, but the latest release is v0.0.13. We'd be 5 releases behind on merge day. Please update to the latest release and regenerate all checksums. (The release includes an openshell-checksums-sha256.txt asset that should make this easy.)

Checksum accuracy: CodeRabbit flagged a potential mismatch on one of the hashes. Please verify every EXPECTED_SHA value against the actual release artifacts — for a security-focused PR, this is critical to get right.

DRY up the verification block: The same ~8-line checksum verification pattern is copy-pasted 3 times across the two scripts. A small verify_checksum() helper would reduce duplication and make future version bumps less error-prone.

Maintenance story: Hardcoded checksums are actually the right call here — downloading the upstream checksums file from the same source as the binary doesn't add real security, since a compromised release would include tampered checksums too. The ideal solution is GitHub artifact attestations, which would let us replace hardcoded hashes with gh attestation verify. OpenShell doesn't support this yet, so I'll open an issue on their repo to request it. In the meantime, please add a brief comment near the version/checksum constants pointing to where the upstream checksums live, so the next person doing a bump knows where to look.

Still need the rebase onto latest main as well. Let me know if you have questions!

[cv]

This is not a duplicate of #697 (ericksoa). Your approach — hardcoded SHA-256 hashes per architecture + version pinning — is strictly stronger than #697's approach of downloading openshell-checksums-sha256.txt from the same release (same-origin checksum doesn't protect against a compromised release). You also cover cloudflared, which #697 doesn't.

We flagged the same-origin issue in our #697 review and filed OpenShell#542 requesting artifact attestations upstream.

This PR could complement or replace #697's checksum approach. Worth rebasing onto current main — brev-setup.sh and scripts/install.sh have both changed.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/install.sh`:
- Around line 356-363: The gh-based download currently can fail and cause the
script to exit (because of set -euo pipefail); modify the GH_TOKEN/gh release
download block so the gh invocation is attempted but its failure is caught and
triggers the fallback curl download: run GH_TOKEN="${GITHUB_TOKEN:-}" gh release
download "${OPENSHELL_VERSION}" --repo NVIDIA/OpenShell --pattern "$ASSET" --dir
"$tmpdir" and if that command returns non-zero then run the existing curl -fsSL
"https://github.com/NVIDIA/OpenShell/releases/download/${OPENSHELL_VERSION}/$ASSET"
-o "$tmpdir/$ASSET"; ensure you check the exit status (e.g., with an if ...;
then ...; else ...; fi) around the gh command and reference the variables
GH_TOKEN, OPENSHELL_VERSION, ASSET and tmpdir so the curl fallback executes on
gh failure.
- Around line 326-327: Update the pinned OpenShell release: change
OPENSHELL_VERSION from "v0.0.8" to "v0.0.14" and regenerate the three
EXPECTED_SHA values used for checksum verification; specifically fetch the
SHA-256 checksums for openshell-aarch64-apple-darwin.tar.gz,
openshell-x86_64-unknown-linux-musl.tar.gz, and
openshell-aarch64-unknown-linux-musl.tar.gz from the v0.0.14 release assets on
GitHub and replace the corresponding EXPECTED_SHA variables in the script so the
installer’s verification (the checksum comparison logic referencing
EXPECTED_SHA) matches the new release.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6bcaa943-690f-4bff-ab25-7a342ce5fec0

📥 Commits

Reviewing files that changed from the base of the PR and between 48dc2af and 5b04d6d.

📒 Files selected for processing (2)

• scripts/brev-setup.sh
• scripts/install.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/brev-setup.sh

[coderabbitai]

🧹 Nitpick comments (1)

scripts/install.sh (1)

371-378: Checksum verification logic is correct; consider adding explicit failure message.

The verification approach using sha256sum -c / shasum -a 256 -c is correct. When a mismatch occurs, the tool outputs a "FAILED" message and set -e terminates the script. For improved user experience, you could wrap this in a conditional with an explicit security warning:

💡 Optional: Add clearer error message on checksum failure

   # Verify checksum
   if command -v sha256sum >/dev/null 2>&1; then
-    echo "${EXPECTED_SHA}  $tmpdir/$ASSET" | sha256sum -c -
+    if ! echo "${EXPECTED_SHA}  $tmpdir/$ASSET" | sha256sum -c - >/dev/null 2>&1; then
+      fail "Checksum verification failed for $ASSET. The binary may have been tampered with."
+    fi
   elif command -v shasum >/dev/null 2>&1; then
-    echo "${EXPECTED_SHA}  $tmpdir/$ASSET" | shasum -a 256 -c -
+    if ! echo "${EXPECTED_SHA}  $tmpdir/$ASSET" | shasum -a 256 -c - >/dev/null 2>&1; then
+      fail "Checksum verification failed for $ASSET. The binary may have been tampered with."
+    fi
   else
     fail "sha256sum or shasum not found. Cannot verify binary integrity."
   fi
+  info "Checksum verified"

This also aligns with the PR review suggestion to extract a verify_checksum() helper function for DRYness across this file and brev-setup.sh.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/install.sh` around lines 371 - 378, Extract the checksum logic into a
helper function named verify_checksum() and replace the inline block with a call
to it; implement verify_checksum() to run sha256sum or shasum as currently done
but capture the command exit status and, on failure, print an explicit security
warning like "ERROR: checksum verification failed for $ASSET — aborting
installation" (use process-failing behavior after the message), and return
non-zero so set -e or caller can terminate. Ensure callers in this script and
brev-setup.sh invoke verify_checksum() with EXPECTED_SHA, $tmpdir/$ASSET (or
equivalent variables) so the DRY helper is reused.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/install.sh`:
- Around line 371-378: Extract the checksum logic into a helper function named
verify_checksum() and replace the inline block with a call to it; implement
verify_checksum() to run sha256sum or shasum as currently done but capture the
command exit status and, on failure, print an explicit security warning like
"ERROR: checksum verification failed for $ASSET — aborting installation" (use
process-failing behavior after the message), and return non-zero so set -e or
caller can terminate. Ensure callers in this script and brev-setup.sh invoke
verify_checksum() with EXPECTED_SHA, $tmpdir/$ASSET (or equivalent variables) so
the DRY helper is reused.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 84d93639-d780-4bd7-98ef-1c1ca15b1852

📥 Commits

Reviewing files that changed from the base of the PR and between 5b04d6d and 5e78aa1.

📒 Files selected for processing (2)

• scripts/brev-setup.sh
• scripts/install.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/brev-setup.sh

[dumko2001]

@cv thanks for the quick approval

[cv]

Superseded by #697 and later installer changes: current main already verifies OpenShell download checksums, and the old brev-setup path this PR touched has since been removed. Closing instead of reviving a stale, conflicting branch.