@@ -92,9 +92,9 @@ download() {
9292 _output=" $2 "
9393
9494 if has_cmd curl; then
95- curl -fLsS --retry 3 -o " $_output " " $_url "
95+ curl -fLsS --retry 3 --max-redirs 5 - o " $_output " " $_url "
9696 elif has_cmd wget; then
97- wget -q --tries=3 -O " $_output " " $_url "
97+ wget -q --tries=3 --max-redirect=5 - O " $_output " " $_url "
9898 fi
9999}
100100
@@ -161,6 +161,18 @@ resolve_version() {
161161 _latest_url=" ${GITHUB_URL} /releases/latest"
162162 _resolved=" $( resolve_redirect " $_latest_url " ) " || error " failed to resolve latest release from ${_latest_url} "
163163
164+ # Validate that the redirect stayed on the expected GitHub origin.
165+ # A MITM or DNS hijack could redirect to an attacker-controlled domain,
166+ # which would also serve a matching checksums file (making checksum
167+ # verification useless). See: https://github.com/NVIDIA/OpenShell/issues/638
168+ case " $_resolved " in
169+ https://github.com/${REPO} /releases/* )
170+ ;;
171+ * )
172+ error " unexpected redirect target: ${_resolved} (expected https://github.com/${REPO} /releases/...)"
173+ ;;
174+ esac
175+
164176 # Extract the tag from the resolved URL: .../releases/tag/v0.0.4 -> v0.0.4
165177 _version=" ${_resolved##*/ } "
166178
@@ -180,20 +192,20 @@ verify_checksum() {
180192 _vc_checksums=" $2 "
181193 _vc_filename=" $3 "
182194
183- _vc_expected=" $( grep " $_vc_filename " " $_vc_checksums " | awk ' {print $1}' ) "
195+ if ! has_cmd shasum && ! has_cmd sha256sum; then
196+ error " neither 'shasum' nor 'sha256sum' found; cannot verify download integrity"
197+ fi
198+
199+ _vc_expected=" $( grep -F " $_vc_filename " " $_vc_checksums " | awk ' {print $1}' ) "
184200
185201 if [ -z " $_vc_expected " ; then
186- warn " no checksum found for $_vc_filename , skipping verification"
187- return 0
202+ error " no checksum entry found for $_vc_filename in checksums file"
188203 fi
189204
190205 if has_cmd shasum; then
191206 echo " $_vc_expected $_vc_archive " | shasum -a 256 -c --quiet 2> /dev/null
192207 elif has_cmd sha256sum; then
193208 echo " $_vc_expected $_vc_archive " | sha256sum -c --quiet 2> /dev/null
194- else
195- warn " sha256sum/shasum not found, skipping checksum verification"
196- return 0
197209 fi
198210}
199211
@@ -254,14 +266,13 @@ main() {
254266 error " failed to download ${_download_url} "
255267 fi
256268
257- # Verify checksum
269+ # Verify checksum (mandatory — never skip)
258270 info " verifying checksum..."
259- if download " $_checksums_url " " ${_tmpdir} /checksums.txt" ; then
260- if ! verify_checksum " ${_tmpdir} /${_filename} " " ${_tmpdir} /checksums.txt" " $_filename " ; then
261- error " checksum verification failed for ${_filename} "
262- fi
263- else
264- warn " could not download checksums file, skipping verification"
271+ if ! download " $_checksums_url " " ${_tmpdir} /checksums.txt" ; then
272+ error " failed to download checksums file from ${_checksums_url} "
273+ fi
274+ if ! verify_checksum " ${_tmpdir} /${_filename} " " ${_tmpdir} /checksums.txt" " $_filename " ; then
275+ error " checksum verification failed for ${_filename} "
265276 fi
266277
267278 # Extract
0 commit comments