From c1e0285e2093daa92a44183538764b93d287089d Mon Sep 17 00:00:00 2001 From: memosr Date: Sat, 6 Jun 2026 10:04:54 +0300 Subject: [PATCH] fix: exclude task-signing-tool folder from tarball, not signer-tool MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The excludedFolders array in src/lib/task-origin-validate.ts:38 listed "signer-tool", but the README at line 39 instructs users to clone this repo as task-signing-tool/ — which is also the actual GitHub repo name. If the signing tool is installed as a subdirectory of a task folder (via git submodule, nested install, or just convenience), the current exclusion does not match its directory name. The tarball generator then includes the entire tool source in the tarball, changing the hash deterministically computed from the task files alone. Signers comparing hashes between machines or against a published expected hash see a mismatch. The error surfaces as "validation failed" with no indication that the cause is tarball content drift from an incorrectly named exclusion. Updated the exclusion to match the documented and actual repo name. --- src/lib/task-origin-validate.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lib/task-origin-validate.ts b/src/lib/task-origin-validate.ts index 949bda6..ebdd5eb 100644 --- a/src/lib/task-origin-validate.ts +++ b/src/lib/task-origin-validate.ts @@ -34,8 +34,7 @@ async function getAllFilesRecursively( const entries = await fs.readdir(currentDir, { withFileTypes: true }); const files: string[] = []; - // Exclude cache, out, and signer-tool folders from the tarball - const excludedFolders = ['cache', 'out', 'signer-tool']; + const excludedFolders = ['cache', 'out', 'task-signing-tool']; // matches documented clone directory name in README.md for (const entry of entries) { const fullPath = path.join(currentDir, entry.name);