From 817c8c6e6ad8e2ba098aebfe5c5dc193e16d3c10 Mon Sep 17 00:00:00 2001 From: areporeporepo Date: Thu, 26 Mar 2026 06:52:04 -0700 Subject: [PATCH 1/3] fix(install): make checksum verification mandatory - verify_checksum() now errors instead of warning when sha256sum/shasum is unavailable or when no checksum entry exists for the archive - main() now errors when the checksums file cannot be downloaded - Add --no-verify-checksum flag and OPENSHELL_NO_VERIFY env var for explicit opt-out in environments where verification is not feasible - Update usage() with new flag, env var, and example Previously, an attacker who could manipulate the download (MITM without HTTPS pinning) could serve a binary without the checksum file, and the installer would proceed silently. Now the installer fails loudly unless the operator explicitly opts out. Closes #590 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: areporeporepo --- install.sh | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/install.sh b/install.sh index cf29ba74..9f460a2e 100755 --- a/install.sh +++ b/install.sh @@ -13,6 +13,7 @@ # Environment variables: # OPENSHELL_VERSION - Release tag to install (default: latest tagged release) # OPENSHELL_INSTALL_DIR - Directory to install into (default: ~/.local/bin) +# OPENSHELL_NO_VERIFY - Set to "1" to skip checksum verification (not recommended) # set -eu @@ -50,11 +51,13 @@ USAGE: ./install.sh [OPTIONS] OPTIONS: - --help Print this help message + --help Print this help message + --no-verify-checksum Skip SHA-256 checksum verification (not recommended) ENVIRONMENT VARIABLES: OPENSHELL_VERSION Release tag to install (default: latest tagged release) OPENSHELL_INSTALL_DIR Directory to install into (default: ~/.local/bin) + OPENSHELL_NO_VERIFY Set to "1" to skip checksum verification (not recommended) EXAMPLES: # Install latest release @@ -65,6 +68,9 @@ EXAMPLES: # Install to /usr/local/bin curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_INSTALL_DIR=/usr/local/bin sh + + # Skip checksum verification (not recommended) + curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_NO_VERIFY=1 sh EOF } @@ -183,8 +189,7 @@ verify_checksum() { _vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')" if [ -z "$_vc_expected" ]; then - warn "no checksum found for $_vc_filename, skipping verification" - return 0 + error "no checksum found for $_vc_filename in checksums file" fi if has_cmd shasum; then @@ -192,8 +197,7 @@ verify_checksum() { elif has_cmd sha256sum; then echo "$_vc_expected $_vc_archive" | sha256sum -c --quiet 2>/dev/null else - warn "sha256sum/shasum not found, skipping checksum verification" - return 0 + error "sha256sum or shasum is required for checksum verification (install coreutils or set OPENSHELL_NO_VERIFY=1 to skip)" fi } @@ -223,6 +227,8 @@ is_on_path() { # --------------------------------------------------------------------------- main() { + _skip_checksum="${OPENSHELL_NO_VERIFY:-0}" + # Parse CLI flags for arg in "$@"; do case "$arg" in @@ -230,6 +236,9 @@ main() { usage exit 0 ;; + --no-verify-checksum) + _skip_checksum=1 + ;; *) error "unknown option: $arg" ;; @@ -255,13 +264,17 @@ main() { fi # Verify checksum - info "verifying checksum..." - if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then - if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then - error "checksum verification failed for ${_filename}" - fi + if [ "$_skip_checksum" = "1" ]; then + warn "checksum verification skipped (OPENSHELL_NO_VERIFY=1 or --no-verify-checksum)" else - warn "could not download checksums file, skipping verification" + info "verifying checksum..." + if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then + if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then + error "checksum verification failed for ${_filename}" + fi + else + error "failed to download checksums file from ${_checksums_url} (set OPENSHELL_NO_VERIFY=1 to skip verification)" + fi fi # Extract From a511e3db82fc3234cf35dc8ef8f5dee4598fb14a Mon Sep 17 00:00:00 2001 From: areporeporepo Date: Thu, 26 Mar 2026 07:07:01 -0700 Subject: [PATCH 2/3] fix(install): address review feedback on checksum verification - Use awk exact-field match instead of grep regex for checksum lookup - Include both opt-out mechanisms (env var + flag) in all error messages - Add e2e test for OPENSHELL_NO_VERIFY=1 checksum skip path Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: areporeporepo --- e2e/install/sh_test.sh | 24 ++++++++++++++++++++++++ install.sh | 8 ++++---- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/e2e/install/sh_test.sh b/e2e/install/sh_test.sh index 320c00ef..e7996743 100755 --- a/e2e/install/sh_test.sh +++ b/e2e/install/sh_test.sh @@ -68,6 +68,29 @@ test_guidance_mentions_restart() { assert_output_contains "$INSTALL_OUTPUT" "restart your shell" "mentions shell restart" } +test_skip_checksum_env() { + printf 'TEST: OPENSHELL_NO_VERIFY=1 skips checksum verification\n' + + _skip_dir="$(mktemp -d)/bin" + _skip_output="$(OPENSHELL_NO_VERIFY=1 \ + OPENSHELL_INSTALL_DIR="$_skip_dir" \ + SHELL="/bin/sh" \ + PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" \ + sh "$INSTALL_SCRIPT" 2>&1)" || { + fail "install succeeds with OPENSHELL_NO_VERIFY=1" "exit code: $?" + return 1 + } + + assert_output_contains "$_skip_output" "checksum verification skipped" \ + "shows checksum skip message" + + if [ -f "$_skip_dir/openshell" ]; then + pass "binary installed with checksum skip" + else + fail "binary installed with checksum skip" "not found at $_skip_dir/openshell" + fi +} + test_no_env_scripts_created() { printf 'TEST: no env scripts are created in install dir\n' @@ -100,6 +123,7 @@ test_binary_runs; echo "" test_guidance_shows_export_path; echo "" test_guidance_mentions_not_on_path; echo "" test_guidance_mentions_restart; echo "" +test_skip_checksum_env; echo "" test_no_env_scripts_created print_summary diff --git a/install.sh b/install.sh index 9f460a2e..9696b03f 100755 --- a/install.sh +++ b/install.sh @@ -186,10 +186,10 @@ verify_checksum() { _vc_checksums="$2" _vc_filename="$3" - _vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')" + _vc_expected="$(awk -v fname="$_vc_filename" '$2 == fname { print $1 }' "$_vc_checksums")" if [ -z "$_vc_expected" ]; then - error "no checksum found for $_vc_filename in checksums file" + error "no checksum found for $_vc_filename in checksums file (set OPENSHELL_NO_VERIFY=1 or use --no-verify-checksum to skip)" fi if has_cmd shasum; then @@ -197,7 +197,7 @@ verify_checksum() { elif has_cmd sha256sum; then echo "$_vc_expected $_vc_archive" | sha256sum -c --quiet 2>/dev/null else - error "sha256sum or shasum is required for checksum verification (install coreutils or set OPENSHELL_NO_VERIFY=1 to skip)" + error "sha256sum or shasum is required for checksum verification (install coreutils, set OPENSHELL_NO_VERIFY=1, or use --no-verify-checksum to skip)" fi } @@ -273,7 +273,7 @@ main() { error "checksum verification failed for ${_filename}" fi else - error "failed to download checksums file from ${_checksums_url} (set OPENSHELL_NO_VERIFY=1 to skip verification)" + error "failed to download checksums file from ${_checksums_url} (set OPENSHELL_NO_VERIFY=1 or use --no-verify-checksum to skip verification)" fi fi From 7cbf39ff5562bcea4e1c34c9e34be1646f2699b6 Mon Sep 17 00:00:00 2001 From: areporeporepo Date: Thu, 26 Mar 2026 07:26:47 -0700 Subject: [PATCH 3/3] fix(install): accept common truthy values for OPENSHELL_NO_VERIFY - Accept 1, true, yes, y (case-insensitive) for OPENSHELL_NO_VERIFY - Clean up temp directory in e2e checksum skip test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: areporeporepo --- e2e/install/sh_test.sh | 5 ++++- install.sh | 7 ++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/e2e/install/sh_test.sh b/e2e/install/sh_test.sh index e7996743..b8d5d75f 100755 --- a/e2e/install/sh_test.sh +++ b/e2e/install/sh_test.sh @@ -71,13 +71,15 @@ test_guidance_mentions_restart() { test_skip_checksum_env() { printf 'TEST: OPENSHELL_NO_VERIFY=1 skips checksum verification\n' - _skip_dir="$(mktemp -d)/bin" + _skip_base="$(mktemp -d)" + _skip_dir="${_skip_base}/bin" _skip_output="$(OPENSHELL_NO_VERIFY=1 \ OPENSHELL_INSTALL_DIR="$_skip_dir" \ SHELL="/bin/sh" \ PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" \ sh "$INSTALL_SCRIPT" 2>&1)" || { fail "install succeeds with OPENSHELL_NO_VERIFY=1" "exit code: $?" + rm -rf "$_skip_base" return 1 } @@ -89,6 +91,7 @@ test_skip_checksum_env() { else fail "binary installed with checksum skip" "not found at $_skip_dir/openshell" fi + rm -rf "$_skip_base" } test_no_env_scripts_created() { diff --git a/install.sh b/install.sh index 9696b03f..a028a919 100755 --- a/install.sh +++ b/install.sh @@ -227,7 +227,12 @@ is_on_path() { # --------------------------------------------------------------------------- main() { - _skip_checksum="${OPENSHELL_NO_VERIFY:-0}" + # Normalise OPENSHELL_NO_VERIFY to "1" or "0". + # Accept common truthy values: 1, true, yes, y (case-insensitive). + case "$(printf '%s' "${OPENSHELL_NO_VERIFY:-}" | tr '[:upper:]' '[:lower:]')" in + 1|true|yes|y) _skip_checksum=1 ;; + *) _skip_checksum=0 ;; + esac # Parse CLI flags for arg in "$@"; do