Skip to content

feat: verify downloads against release-published asset digests#191

Merged
jaemk merged 4 commits into
masterfrom
260715.asset-digest
Jul 16, 2026
Merged

feat: verify downloads against release-published asset digests#191
jaemk merged 4 commits into
masterfrom
260715.asset-digest

Conversation

@jaemk

@jaemk jaemk commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Closes #159.

  • Verify the downloaded artifact against the digest github publishes per release asset (sha256:<hex>) before installing, whenever the selected asset carries one. On by default with the checksums feature; opt out with verify_release_digest(false) on the builders.
  • Fail the update on a digest that is present but malformed or uses an unsupported algorithm, rather than silently skipping.
  • Add ReleaseAsset::digest() and ReleaseAsset::with_digest(..) carrying the algorithm:hex digest; the github backend fills it from the API's per-asset digest field, the other backends leave it None (their APIs publish none). A custom ReleaseSource can supply one via with_digest.
  • Add Checksum::parse_digest("sha256:<hex>"), parsing the forge form into a Checksum (sha256/sha512).
  • Independent of verify_checksum: when both apply, both must pass.

Note that this is an integrity check only, not authenticity: github recomputes the digest when an asset is replaced, so it is not a substitute for the signatures feature.

jaemk added 4 commits July 15, 2026 20:20
Github publishes a sha256 digest per release asset; with the checksums
feature the updater now verifies the downloaded artifact against it
before installing whenever the selected asset carries one. On by
default; opt out with `verify_release_digest(false)`. A digest that is
present but malformed or unsupported fails the update rather than
silently skipping. Independent of `verify_checksum` (both must pass
when both apply). Integrity only: the forge recomputes the digest when
an asset is replaced, so this is not a substitute for `signatures`.

- `ReleaseAsset::digest()` / `ReleaseAsset::with_digest(..)` carry the
  `algorithm:hex` digest; the github backend fills it from the API
- `Checksum::parse_digest("sha256:<hex>")` parses the forge form
- closes #159
Reflect the new checksums-gated release-digest gate across the ref specs
(update-pipeline, signatures-and-checksums, release-model, github-backend,
common-config, feature-flags) and the checksum-from-asset/checksum-verification
decision specs. Mark Checksum from Asset partial: the github per-asset digest
path ships, the SHA256SUMS-file fetch/parse convenience is still deferred.
3.3.3 drops the info-string suffix on a fenced block (the `compile_fail`
async doctest renders as a plain `rust` fence). CI installs the latest
cargo-readme, so the committed README must match its output. The doctest
still runs as compile_fail; the marker lives in src/lib.rs, not the README.
@jaemk
jaemk merged commit 29b98c9 into master Jul 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: Use GitHub sha256 hash to verify downloads

1 participant