sec(install): checksum verification silently skipped when sha256sum unavailable

## Summary

The installer script (`install.sh`, lines 178–198, 257–265) downloads a checksums file and verifies SHA-256 integrity. However:

1. If neither `shasum` nor `sha256sum` is available (lines 193–196), verification is **silently skipped** with only a warning
2. If the checksums file itself cannot be downloaded (lines 263–264), verification is skipped entirely

An attacker who can manipulate the download (MITM without HTTPS pinning) could serve a binary without the checksum file.

## Impact

- **Severity:** Medium
- Users may install a tampered binary without realising verification was skipped.

## Proposed Fix

1. Make checksum verification mandatory — fail if sha256sum is unavailable or the checksums file cannot be downloaded
2. Consider adding GPG/Sigstore signature verification (see also #542 for artifact attestations)

**Note:** #542 covers GitHub artifact attestations which is complementary but separate from installer-side verification.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sec(install): checksum verification silently skipped when sha256sum unavailable #590

Summary

Impact

Proposed Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

sec(install): checksum verification silently skipped when sha256sum unavailable #590

Description

Summary

Impact

Proposed Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions