feat(install): verify release archive checksums in both installers

.github/workflows/release.yml

@@ -357,6 +357,13 @@ jobs:
           path: packages/opencode/dist/
           merge-multiple: true
 
+      - name: Generate checksums
+        # Single checksums.txt (sha256sum format: "<hash>  <bare-filename>") shipped
+        # as a release asset. The curl and PowerShell installers fetch it and verify
+        # the downloaded archive before extracting.
+        working-directory: packages/opencode/dist
+        run: sha256sum *.tar.gz *.zip > checksums.txt
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
@@ -366,5 +373,6 @@ jobs:
           files: |
             packages/opencode/dist/*.tar.gz
             packages/opencode/dist/*.zip
+            packages/opencode/dist/checksums.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

install

@@ -356,6 +356,51 @@ download_with_progress() {
     return $ret
 }
 
+# Verify the downloaded archive against the release's checksums.txt.
+# Hard-fails on a real mismatch; soft-skips when checksums.txt can't be fetched
+# (older release, network blip) or has no entry, so pinned installs of
+# pre-checksums releases keep working.
+verify_checksum() {
+    local file="$1"
+    local name="$2"
+    # $url ends in /$filename — strip it to get the release base, append checksums.txt.
+    local checksums_url="${url%/*}/checksums.txt"
+
+    local sums
+    if ! sums=$(curl --fail -sL "$checksums_url" 2>/dev/null); then
+        print_message info "${MUTED}Skipping integrity check — checksums.txt not published for this release${NC}"
+        return 0
+    fi
+
+    # checksums.txt is sha256sum format: "<hash>  <filename>" (sha256sum may
+    # prefix the name with '*' in binary mode — tolerate it).
+    local expected
+    expected=$(printf '%s\n' "$sums" | awk -v f="$name" '{ n=$2; sub(/^\*/,"",n); if (n==f) { print $1; exit } }')
+    if [ -z "$expected" ]; then
+        print_message info "${MUTED}Skipping integrity check — no checksum entry for $name${NC}"
+        return 0
+    fi
+
+    local actual
+    if command -v sha256sum >/dev/null 2>&1; then
+        actual=$(sha256sum "$file" | cut -d' ' -f1)
+    elif command -v shasum >/dev/null 2>&1; then
+        actual=$(shasum -a 256 "$file" | cut -d' ' -f1)
+    else
+        print_message info "${MUTED}Skipping integrity check — no sha256 tool available${NC}"
+        return 0
+    fi
+
+    if [ "$actual" != "$expected" ]; then
+        print_message error "Checksum mismatch for $name"
+        print_message error "  expected: $expected"
+        print_message error "  actual:   $actual"
+        rm -rf "$tmp_dir"
+        exit 1
+    fi
+    print_message info "${MUTED}Verified ${NC}$name${MUTED} (sha256)${NC}"
+}
+
 download_and_install() {
     print_message info "\n${MUTED}Installing ${NC}altimate ${MUTED}version: ${NC}$specific_version"
     local tmp_dir="${TMPDIR:-/tmp}/altimate_install_$$"
@@ -367,6 +412,8 @@ download_and_install() {
         curl --fail -# -L -o "$tmp_dir/$filename" "$url"
     fi
 
+    verify_checksum "$tmp_dir/$filename" "$filename"
+
     # Extract only the expected binary member rather than the whole archive.
     # The current build only puts a single file in each archive, but listing
     # the member explicitly makes a future "tars a whole directory" mistake

install.ps1

@@ -77,6 +77,36 @@ public static extern IntPtr SendMessageTimeout(IntPtr hWnd, uint Msg, UIntPtr wP
   }
 }
 
+# Verify a downloaded archive against the release's checksums.txt.
+# Hard-fails (throws) on a real mismatch. Soft-skips when checksums.txt can't be
+# fetched (older release, network blip) or has no entry for this file, so pinned
+# installs of pre-checksums releases keep working.
+function Test-Checksum {
+  param([string]$Path, [string]$Name, [string]$ChecksumsUrl)
+
+  $sums = $null
+  try {
+    $sums = (Invoke-WebRequest -Uri $ChecksumsUrl -UseBasicParsing).Content
+  } catch {
+    Write-Muted "Skipping integrity check — checksums.txt not published for this release"
+    return
+  }
+
+  # checksums.txt is sha256sum format: "<hash>  <filename>" (one entry per line).
+  $line = ($sums -split "`n") | Where-Object { $_ -match "\s\*?$([regex]::Escape($Name))\s*$" } | Select-Object -First 1
+  if (-not $line) {
+    Write-Muted "Skipping integrity check — no checksum entry for $Name"
+    return
+  }
+
+  $expected = (($line -split '\s+')[0]).ToLower()
+  $actual = (Get-FileHash -Path $Path -Algorithm SHA256).Hash.ToLower()
+  if ($actual -ne $expected) {
+    throw "Checksum mismatch for $Name (expected $expected, got $actual)"
+  }
+  Write-Muted "Verified $Name (sha256)"
+}
+
 # ---------------------------------------------------------------------------
 # Architecture / baseline detection
 # ---------------------------------------------------------------------------
@@ -171,10 +201,12 @@ function Install-Target {
   $filename = "$App-$target.zip"
 
   if ($useLatest) {
-    $url = "https://github.com/AltimateAI/altimate-code/releases/latest/download/$filename"
+    $base = "https://github.com/AltimateAI/altimate-code/releases/latest/download"
   } else {
-    $url = "https://github.com/AltimateAI/altimate-code/releases/download/v$specificVersion/$filename"
+    $base = "https://github.com/AltimateAI/altimate-code/releases/download/v$specificVersion"
   }
+  $url = "$base/$filename"
+  $checksumsUrl = "$base/checksums.txt"
 
   Write-Host ""
   Write-Host "Installing $App version: $specificVersion"
@@ -184,12 +216,6 @@ function Install-Target {
   $zipPath = Join-Path $tmpDir $filename
 
   try {
-    # NOTE: integrity verification (SHA256/signature) of the archive is
-    # intentionally deferred to match the bash installer's posture — both rely
-    # on HTTPS from github.com release assets. Releases do not currently publish
-    # a checksums file; adding one + verifying it in both installers is tracked
-    # as a follow-up. See PR #930 discussion.
-    #
     # Prefer curl.exe (ships with Windows 10 1803+) for a fast download with
     # --fail so HTTP errors don't write an error page to disk; fall back to
     # Invoke-WebRequest where curl.exe is unavailable.
@@ -201,6 +227,10 @@ function Install-Target {
       Invoke-WebRequest -Uri $url -OutFile $zipPath -UseBasicParsing
     }
 
+    # Integrity check: hard-fail on mismatch; skip (with notice) when the release
+    # predates checksums.txt or the fetch fails, so older pinned installs still work.
+    Test-Checksum -Path $zipPath -Name $filename -ChecksumsUrl $checksumsUrl
+
     Expand-Archive -Path $zipPath -DestinationPath $tmpDir -Force
     $extracted = Join-Path $tmpDir $BinaryName
     if (-not (Test-Path $extracted)) {

packages/opencode/test/install/checksum-verification.test.ts

@@ -0,0 +1,49 @@
+/**
+ * Release-archive integrity verification across the install surface.
+ *
+ * The release publishes a checksums.txt asset; both installers fetch it and
+ * verify the downloaded archive (sha256) before extracting — hard-fail on
+ * mismatch, soft-skip when the file is absent (older pinned releases).
+ */
+import { describe, test, expect } from "bun:test"
+import { readFileSync } from "node:fs"
+import { join } from "node:path"
+
+const REPO_ROOT = join(import.meta.dir, "../../../..")
+const BASH_INSTALL = readFileSync(join(REPO_ROOT, "install"), "utf-8")
+const PS1 = readFileSync(join(REPO_ROOT, "install.ps1"), "utf-8")
+const RELEASE_YML = readFileSync(join(REPO_ROOT, ".github/workflows/release.yml"), "utf-8")
+
+describe("release publishes checksums", () => {
+  test("release.yml generates checksums.txt and uploads it", () => {
+    expect(RELEASE_YML).toContain("sha256sum *.tar.gz *.zip > checksums.txt")
+    expect(RELEASE_YML).toContain("packages/opencode/dist/checksums.txt")
+  })
+})
+
+describe("bash installer verifies checksums", () => {
+  test("fetches checksums.txt and compares sha256", () => {
+    expect(BASH_INSTALL).toContain("checksums.txt")
+    expect(BASH_INSTALL).toMatch(/sha256sum|shasum -a 256/)
+  })
+
+  test("hard-fails on mismatch", () => {
+    expect(BASH_INSTALL).toContain("Checksum mismatch")
+    expect(BASH_INSTALL).toContain("verify_checksum")
+  })
+})
+
+describe("PowerShell installer verifies checksums", () => {
+  test("fetches checksums.txt and compares sha256", () => {
+    expect(PS1).toContain("checksums.txt")
+    expect(PS1).toContain("Get-FileHash")
+    expect(PS1).toContain("Test-Checksum")
+  })
+
+  test("hard-fails on mismatch before extracting", () => {
+    expect(PS1).toContain("Checksum mismatch")
+    // The verify call must precede the actual extraction call (not the
+    // Expand-Archive mention in the top-of-file ProgressPreference comment).
+    expect(PS1.indexOf("Test-Checksum -Path")).toBeLessThan(PS1.indexOf("Expand-Archive -Path"))
+  })
+})