Skip to content

Add checksum verification to curl and npx installers#1903

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/fix-installer-checksum-verification
Draft

Add checksum verification to curl and npx installers#1903
Copilot wants to merge 3 commits intomainfrom
copilot/fix-installer-checksum-verification

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

GoReleaser generates checksum files (defang_<version>_checksums.txt) but installers don't verify them, allowing corrupted or tampered binaries to be installed.

Changes

curl installer (src/bin/install):

  • Downloads checksum file from GitHub releases
  • Verifies archive SHA256 using sha256sum or shasum -a 256
  • Exits with error code 11 on checksum mismatch

npx installer (pkgs/npm/src/clilib.ts):

  • Added downloadChecksumFile() to fetch checksums from s.defang.io
  • Added verifyChecksum() using Node's crypto module for SHA256 validation
  • Throws error and cleans up files on checksum mismatch

Behavior:

  • Checksum mismatch → installation fails (security)
  • Checksum file unavailable → warning logged, installation continues (backward compatibility)

Tests: Added unit tests covering success, failure, and error cases for npx installer.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/DefangLabs/defang/releases/latest
    • Triggering command: /usr/bin/curl curl -fsSL REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Installers do not verify checksums</issue_title>
<issue_description>Goreleaser generates checksum files, but the installers (brew/npx/curl) do not use/verify them.</issue_description>

<agent_instructions>skip brew, because it builds from source. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 4, 2026 05:20
@lionello
Add checksum verification to curl and npx installers
9106093 
Co-authored-by: lionello <591860+lionello@users.noreply.github.com>
@lionello
Address code review feedback - use static crypto import
c611fba 
Co-authored-by: lionello <591860+lionello@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix installers to verify generated checksum files Add checksum verification to curl and npx installers Feb 4, 2026
Copilot AI requested a review from lionello February 4, 2026 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lionello lionello Awaiting requested review from lionello lionello is a code owner

@jordanstephens jordanstephens Awaiting requested review from jordanstephens jordanstephens will be requested when the pull request is marked ready for review jordanstephens is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@lionello lionello

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Installers do not verify checksums

2 participants

@lionello