Follow-up from #1087 review.
install.sh currently fail-opens on checksum verification: if checksums.txt can't be fetched (network error, MITM/blocked, 404), CHECKSUM_READY stays false and the compare block is silently skipped — the archive installs unverified. This is pre-existing (not introduced by #1087; that PR actually strengthened the match to exact-filename and added a wget fetch fallback).
Risk: an attacker who can block or MITM the checksums.txt fetch while serving a tampered archive bypasses integrity verification entirely.
Ask: make the installer fail-closed — if the checksum file is missing, unfetchable, or malformed (or the specific archive line is absent), abort the install with a clear error rather than proceeding unverified. Consider an explicit --skip-checksum opt-out for the rare legitimate case, so the default is safe.
Scope: install.sh (and mirror the same in scripts/smoke-test.sh:1682, which still uses the old substring grep form).
Follow-up from #1087 review.
install.shcurrently fail-opens on checksum verification: ifchecksums.txtcan't be fetched (network error, MITM/blocked, 404),CHECKSUM_READYstays false and the compare block is silently skipped — the archive installs unverified. This is pre-existing (not introduced by #1087; that PR actually strengthened the match to exact-filename and added a wget fetch fallback).Risk: an attacker who can block or MITM the
checksums.txtfetch while serving a tampered archive bypasses integrity verification entirely.Ask: make the installer fail-closed — if the checksum file is missing, unfetchable, or malformed (or the specific archive line is absent), abort the install with a clear error rather than proceeding unverified. Consider an explicit
--skip-checksumopt-out for the rare legitimate case, so the default is safe.Scope:
install.sh(and mirror the same inscripts/smoke-test.sh:1682, which still uses the old substringgrepform).