Add --verify-checksum option to the installer

IvanIsCoding · IvanIsCoding · commit 148fa7762e37 · 2026-01-27T20:40:50.000-05:00
diff --git a/.github/scripts/generate-install-script.sh b/.github/scripts/generate-install-script.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+# Script to download releases and generate install.sh with SHA256 checksums
+# Usage: ./generate-install-script.sh <version>
+# Example: ./generate-install-script.sh v0.2.0
+
+set -euo pipefail
+
+VERSION="${1:-}"
+
+if [ -z "$VERSION" ]; then
+  echo "Usage: $0 <version>"
+  echo "Example: $0 v0.2.0"
+  exit 1
+fi
+
+REPO="IvanIsCoding/celq"
+TEMP_DIR=$(mktemp -d)
+
+cleanup() {
+  rm -rf "$TEMP_DIR"
+}
+trap cleanup EXIT
+
+echo "Downloading releases for $VERSION..."
+
+# Download the archives (excluding FreeBSD)
+declare -A DOWNLOADS=(
+  ["macos-aarch64"]="celq-macos-aarch64.tar.gz"
+  ["macos-x86_64"]="celq-macos-x86_64.tar.gz"
+  ["windows-x86_64"]="celq-windows-x86_64.zip"
+  ["linux-x86_64-musl"]="celq-linux-x86_64-musl.tar.gz"
+  ["linux-aarch64-musl"]="celq-linux-aarch64-musl.tar.gz"
+  ["linux-x86_64-gnu"]="celq-linux-x86_64-gnu.tar.gz"
+  ["linux-aarch64-gnu"]="celq-linux-aarch64-gnu.tar.gz"
+)
+
+declare -A CHECKSUMS
+
+for key in "${!DOWNLOADS[@]}"; do
+  filename="${DOWNLOADS[$key]}"
+  echo "Downloading $filename..."
+  gh release download "$VERSION" \
+    --repo "$REPO" \
+    --pattern "$filename" \
+    --dir "$TEMP_DIR"
+  
+  # Calculate SHA256
+  if command -v sha256sum > /dev/null 2>&1; then
+    checksum=$(sha256sum "$TEMP_DIR/$filename" | cut -d' ' -f1)
+  elif command -v shasum > /dev/null 2>&1; then
+    checksum=$(shasum -a 256 "$TEMP_DIR/$filename" | cut -d' ' -f1)
+  else
+    echo "Error: need sha256sum or shasum"
+    exit 1
+  fi
+  
+  CHECKSUMS[$key]=$checksum
+  echo "  SHA256: $checksum"
+done
+
+echo ""
+echo "Generating install.sh from template..."
+
+# Read template and substitute values
+TEMPLATE_FILE="template_install.sh"
+OUTPUT_FILE="install.sh"
+
+if [ ! -f "$TEMPLATE_FILE" ]; then
+  echo "Error: $TEMPLATE_FILE not found"
+  exit 1
+fi
+
+# Create the output with all substitutions
+sed -e "s/{{CELQ_VERSION}}/${VERSION}/g" \
+    -e "s/{{CHECKSUM_MACOS_AARCH64}}/${CHECKSUMS[macos-aarch64]}/g" \
+    -e "s/{{CHECKSUM_MACOS_X86_64}}/${CHECKSUMS[macos-x86_64]}/g" \
+    -e "s/{{CHECKSUM_WINDOWS_X86_64}}/${CHECKSUMS[windows-x86_64]}/g" \
+    -e "s/{{CHECKSUM_LINUX_X86_64_MUSL}}/${CHECKSUMS[linux-x86_64-musl]}/g" \
+    -e "s/{{CHECKSUM_LINUX_AARCH64_MUSL}}/${CHECKSUMS[linux-aarch64-musl]}/g" \
+    -e "s/{{CHECKSUM_LINUX_X86_64_GNU}}/${CHECKSUMS[linux-x86_64-gnu]}/g" \
+    -e "s/{{CHECKSUM_LINUX_AARCH64_GNU}}/${CHECKSUMS[linux-aarch64-gnu]}/g" \
+    "$TEMPLATE_FILE" > "$OUTPUT_FILE"
+
+chmod +x "$OUTPUT_FILE"
+
+echo "✅ Generated $OUTPUT_FILE"
+echo ""
+echo "Checksums:"
+for key in "${!CHECKSUMS[@]}"; do
+  echo "  $key: ${CHECKSUMS[$key]}"
+done
diff --git a/.github/workflows/release_github.yml b/.github/workflows/release_github.yml
@@ -183,14 +183,14 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh release upload ${VERSION} ${{ steps.archive.outputs.ARCHIVE_NAME }}
-  
+
   update-install-script:
     name: Update install script on GitHub Pages
     runs-on: ubuntu-latest
     needs: [build, build-zig]
     environment: github_release
     steps:
-      - name: Checkout celq repository (for template)
+      - name: Checkout celq repository
         uses: actions/checkout@v4
         with:
           path: celq-repo
@@ -202,27 +202,28 @@ jobs:
           token: ${{ secrets.PAGES_DEPLOY_TOKEN }}
           path: pages-repo
 
-      - name: Generate install scripts
+      - name: Generate install script with checksums
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
+          cd celq-repo
           VERSION="${{ github.ref_name }}"
           
+          # Run the generation script
+          bash .github/scripts/generate-install-script.sh "$VERSION"
+          
           # Generate versioned install script (e.g., v0.1.1/install.sh or v0.2.0-beta.1/install.sh)
-          mkdir -p "pages-repo/${VERSION}"
-          sed "s/{{CELQ_VERSION}}/${VERSION}/g" celq-repo/template_install.sh > "pages-repo/${VERSION}/install.sh"
-          chmod +x "pages-repo/${VERSION}/install.sh"
+          mkdir -p "../pages-repo/${VERSION}"
+          cp install.sh "../pages-repo/${VERSION}/install.sh"
           
           # Only update root install.sh if this is NOT a pre-release
           # Pre-releases have a hyphen (e.g., v0.2.0-beta.1, v1.0.0-rc.1)
           if [[ ! "$VERSION" =~ -[a-zA-Z] ]]; then
             echo "Stable release detected, updating root install.sh"
-            sed "s/{{CELQ_VERSION}}/${VERSION}/g" celq-repo/template_install.sh > pages-repo/install.sh
-            chmod +x pages-repo/install.sh
+            cp install.sh ../pages-repo/install.sh
           else
             echo "Pre-release detected, skipping root install.sh update"
           fi
-          
-          # Copy generated script for GitHub release attachment
-          cp "pages-repo/${VERSION}/install.sh" celq-repo/install.sh
 
       - name: Generate attestation for install script
         uses: actions/attest-build-provenance@v3
diff --git a/template_install.sh b/template_install.sh
@@ -30,6 +30,7 @@ FLAGS:
 OPTIONS:
     --to LOCATION   Where to install the binary [default: $CARGO_HOME/bin, $HOME/.cargo/bin, $HOME/.local/bin or $HOME/bin]
     --target TARGET Following Rust target triple conventions (e.g. x86_64-unknown-linux-gnu).
+    --verify-checksum    Verify the downloaded archive's SHA256 checksum
     --verify-attestation  Verify the binary's GitHub Actions attestation (requires GitHub CLI with authentication)
 EOF
 }
@@ -87,6 +88,71 @@ check_attestation() {
   return 0
 }
 
+# Get expected SHA256 checksum for a target
+get_expected_checksum() {
+  local rust_target="$1"
+  
+  case "$rust_target" in
+    aarch64-apple-darwin)
+      echo "{{CHECKSUM_MACOS_AARCH64}}"
+      ;;
+    x86_64-apple-darwin)
+      echo "{{CHECKSUM_MACOS_X86_64}}"
+      ;;
+    x86_64-pc-windows-msvc)
+      echo "{{CHECKSUM_WINDOWS_X86_64}}"
+      ;;
+    x86_64-unknown-linux-musl)
+      echo "{{CHECKSUM_LINUX_X86_64_MUSL}}"
+      ;;
+    aarch64-unknown-linux-musl)
+      echo "{{CHECKSUM_LINUX_AARCH64_MUSL}}"
+      ;;
+    x86_64-unknown-linux-gnu)
+      echo "{{CHECKSUM_LINUX_X86_64_GNU}}"
+      ;;
+    aarch64-unknown-linux-gnu)
+      echo "{{CHECKSUM_LINUX_AARCH64_GNU}}"
+      ;;
+    *)
+      err "No checksum available for target: $rust_target"
+      ;;
+  esac
+}
+
+verify_checksum() {
+  local file="$1"
+  local target="$2"
+  
+  say "Verifying checksum for $file"
+  
+  local expected_checksum
+  expected_checksum=$(get_expected_checksum "$target")
+  
+  if [ -z "$expected_checksum" ] || [ "$expected_checksum" = "{{CHECKSUM_"* ]; then
+    err "Checksum template not populated for target: $target"
+  fi
+  
+  local actual_checksum
+  if command -v sha256sum > /dev/null 2>&1; then
+    actual_checksum=$(sha256sum "$file" | cut -d' ' -f1)
+  elif command -v shasum > /dev/null 2>&1; then
+    actual_checksum=$(shasum -a 256 "$file" | cut -d' ' -f1)
+  else
+    err "need sha256sum or shasum (command not found)"
+  fi
+  
+  if [ "$actual_checksum" != "$expected_checksum" ]; then
+    say "error: checksum mismatch"
+    say "  expected: $expected_checksum"
+    say "  actual:   $actual_checksum"
+    return 1
+  fi
+  
+  say "Checksum verification successful"
+  return 0
+}
+
 # Map Rust target triple to pretty download name
 target_to_pretty_name() {
   local rust_target="$1"
@@ -107,6 +173,7 @@ target_to_pretty_name() {
 
 force=false
 verify_attestation=false
+verify_checksums=false
 while test $# -gt 0; do
   case $1 in
     --force | -f)
@@ -127,6 +194,9 @@ while test $# -gt 0; do
     --verify-attestation)
       verify_attestation=true
       ;;
+    --verify-checksum)
+      verify_checksums=true
+      ;;
     *)
       say "error: unrecognized argument '$1'. Usage:"
       help
@@ -151,6 +221,12 @@ if [ "$verify_attestation" = true ]; then
   need gh
 fi
 
+if [ "$verify_checksums" = true ]; then
+  command -v sha256sum > /dev/null 2>&1 ||
+    command -v shasum > /dev/null 2>&1 ||
+    err "need sha256sum or shasum (command not found)"
+fi
+
 if [ -z "${dest-}" ]; then
   # Try to determine installation directory following Cargo conventions
   if [ -n "${CARGO_HOME-}" ]; then
@@ -232,6 +308,10 @@ if [ "$extension" = "zip" ]; then
   download "$archive" "$td/celq.zip"
   archive_file="$td/celq.zip"
   
+  if [ "$verify_checksums" = true ]; then
+    verify_checksum "$archive_file" "$target" || err "Checksum verification failed"
+  fi
+  
   if [ "$verify_attestation" = true ]; then
     check_attestation "$archive_file" || err "Attestation verification failed"
   fi
@@ -241,6 +321,10 @@ else
   download "$archive" "$td/celq.tar.gz"
   archive_file="$td/celq.tar.gz"
   
+  if [ "$verify_checksums" = true ]; then
+    verify_checksum "$archive_file" "$target" || err "Checksum verification failed"
+  fi
+  
   if [ "$verify_attestation" = true ]; then
     check_attestation "$archive_file" || err "Attestation verification failed"
   fi
