Skip to content

feat(osinstaller): verify SHA-256 checksum of downloaded CLI binary#204

Open
wterpstra wants to merge 2 commits intoCheckmarx:mainfrom
wterpstra:feature/checksum-verification
Open

feat(osinstaller): verify SHA-256 checksum of downloaded CLI binary#204
wterpstra wants to merge 2 commits intoCheckmarx:mainfrom
wterpstra:feature/checksum-verification

Conversation

@wterpstra
Copy link
Copy Markdown

@wterpstra wterpstra commented Apr 30, 2026

Summary

The installer currently downloads the CLI binary without verifying its integrity. This PR adds SHA-256 checksum verification to protect against corrupted or tampered downloads.

What changed

CxInstaller.ts

  • readASTCLIVersion() now returns { version, checksum } instead of just the version string. The checksum is resolved for the current platform/architecture and cached alongside the version.
  • When the checkmarx-ast-cli.version file is absent or empty, falls back to the hardcoded cliDefaultVersion and its bundled cliDefaultChecksums (compile-time guarantee for the default release).
  • When the version file is present, pairs it with the new checkmarx-ast-cli.checksums file to look up the expected checksum — allowing consumers who pin a custom version to also ship verified checksums.
  • getDownloadURL() now returns { url, checksum }. Checksum is null when CX_CLI_LOCATION is set, skipping verification for custom binary sources.
  • downloadIfNotInstalledCLI() verifies the downloaded archive against the expected SHA-256 before extracting. A mismatch throws a CxError and exits with code 1.

checkmarx-ast-cli.checksums (new file, shipped with the package)

  • JSON file containing SHA-256 checksums for the 2.3.48 binaries, keyed by platform_architecture.
  • Consumers who pin a different version via checkmarx-ast-cli.version can ship a matching checkmarx-ast-cli.checksums alongside it to keep verification active.

CxInstallerTest.test.ts

  • Updated existing tests to destructure { url } and { version } from the updated return types.
  • Added CxInstaller checksum verification cases covering: checksum match (linux + darwin), mismatch, null/missing checksum, CX_CLI_LOCATION bypass, and custom version scenarios.

Testing

Manually verified end-to-end on Linux:

  • Downloads 2.3.48 binary and passes checksum verification ✓
  • Changing the version file to 2.3.47 (mismatched checksums) correctly triggers process.exit(1)

@wterpstra
feat(osinstaller): add SHA-256 checksum verification for downloaded C…
9776d87 
…LI binaries

- readASTCLIVersion() now returns {version, checksum} and caches both; falls back to
  cliDefaultVersion and cliDefaultChecksums when the version file is absent or empty,
  otherwise pairs the version file with checkmarx-ast-cli.checksums
- getDownloadURL() returns {url, checksum}, passing null when CX_CLI_LOCATION is set
- downloadIfNotInstalledCLI() verifies the downloaded archive when a checksum is available
- Add checkmarx-ast-cli.checksums shipped with the package for custom version pinning
- Add checksum verification test cases covering match, mismatch, null, CX_CLI_LOCATION bypass, and custom version scenarios
@wterpstra wterpstra force-pushed the feature/checksum-verification branch from dc34e80 to 9776d87 Compare April 30, 2026 13:52
@wterpstra
fix(osinstaller): warn when checksums file is missing or incomplete f…
d811fd1 
…or custom versions

When a version file is present but the checksums file is missing or lacks an entry
for the current platform, log a warning to make the unverified download visible rather
than silently skipping verification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-anurag-dalke cx-anurag-dalke Awaiting requested review from cx-anurag-dalke cx-anurag-dalke is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wterpstra