Skip to content

🔒 SECURITY: Implement script integrity verification #8

New issue
New issue
Open
Open
🔒 SECURITY: Implement script integrity verification#8
@dean0x

Description

@dean0x
dean0x
opened on Oct 18, 2025

Security Enhancement: Script Integrity Checking

Severity: MEDIUM
Priority: MEDIUM
Category: File Integrity

Problem

No verification that installed scripts are authentic and unmodified:

  • Scripts could be tampered with after installation
  • No checksum verification
  • Race condition between install and settings.json update

Impact

  • Malicious script execution
  • Silent compromise
  • No detection of tampering

Solution

Implement checksum-based integrity verification:

import crypto from 'crypto';

// Generate checksums during build
const SCRIPT_CHECKSUMS = {
  'statusline.sh': 'sha256-abc123...',
};

async function verifyScriptIntegrity(scriptPath: string, name: string): Promise<boolean> {
  const content = await fs.readFile(scriptPath);
  const hash = crypto.createHash('sha256').update(content).digest('hex');
  const expected = SCRIPT_CHECKSUMS[name];
  
  if (hash !== expected) {
    console.error(`❌ Script integrity check failed for ${name}`);
    console.error(`   Expected: ${expected}`);
    console.error(`   Got: ${hash}`);
    return false;
  }
  
  return true;
}

// Verify before writing to settings.json
const statuslineValid = await verifyScriptIntegrity(statuslinePath, 'statusline.sh');
if (!statuslineValid) {
  throw new Error('Script integrity verification failed');
}

Implementation Steps

  1. Generate checksums at build time
  2. Embed checksums in compiled code
  3. Verify on installation
  4. Verify with --verify flag
  5. Document verification process

Files to Modify

  • package.json (add prebuild checksum generation)
  • src/cli/commands/init.ts (add verification)
  • Add checksum generation script

Acceptance Criteria

  • Checksums generated during build
  • Scripts verified during installation
  • Verification included in --verify flag
  • Clear error messages on integrity failure
  • Documentation updated

Related Issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions