Address review feedback: remove runtime hash verification and simplify error messages

- Remove strict hash verification for continuous runtime releases (will break on updates)
- Add detailed note explaining the limitation and suggesting alternatives (GPG, versioned releases)
- Simplify error messages in hash verification scripts (remove unnecessary awk)
- Document scan-build and -fanalyzer as future static analysis enhancements
- Add note about CI testing requirement for sanitizers to be effective
- Update SECURITY.md with all clarifications

Co-authored-by: probonopd <2480569+probonopd@users.noreply.github.com>

Author: Copilot

SECURITY.md

@@ -13,29 +13,42 @@ The project is built with comprehensive compiler warnings enabled to catch poten
 
 These flags help ensure code quality and catch potential security issues at compile time.
 
+### Future Enhancements
+
+Additional static analysis tools that could be integrated:
+- **scan-build** (Clang Static Analyzer): Performs code flow analysis to detect issues like null pointer dereferences and use-after-free
+- **gcc -fanalyzer**: GCC's built-in static analyzer for similar code flow analysis
+
 ## Download Verification
 
-All external dependencies downloaded during the build process are verified using SHA256 hashes:
+External dependencies downloaded during the build process are verified where practical:
 
 ### Runtime Binaries
 
-The AppImage runtime binaries are downloaded from https://github.com/AppImage/type2-runtime/releases and verified with SHA256 hashes for each architecture:
+**Important Note**: The AppImage runtime binaries are downloaded from the `continuous` release at https://github.com/AppImage/type2-runtime/releases. 
+
+**Current Limitation**: Hash verification for continuous releases is problematic because:
+- Continuous releases are updated regularly
+- Hard-coded hashes would break when type2-runtime is updated
+- This creates a maintenance burden
 
-- `x86_64`: e70ffa9b69b211574d0917adc482dd66f25a0083427b5945783965d55b0b0a8b
-- `i686`: 3138b9f0c7a1872cfaf0e32db87229904524bb08922032887b298b22aed16ea8
-- `aarch64`: c1b2278cf0f42f5c603ab9a0fe43314ac2cbedf80b79a63eb77d3a79b42600c5
-- `armhf`: 6704e63466fa53394eb9326076f6b923177e9eb48840b85acf1c65a07e1fcf2b
+**Current Approach**: The build process prints the SHA256 hash and size of the downloaded runtime for transparency and audit purposes, but does not enforce hash verification.
 
-The build process prints the hash and size of the downloaded runtime for transparency.
+**Recommended Future Improvements**:
+1. Use GPG signature verification (download `.sig` files and verify with GPG)
+2. Switch to versioned/tagged releases instead of continuous
+3. Implement automatic hash updates when type2-runtime changes
 
 ### Build Tools
 
-External build tools are also verified:
+External build tools use strict hash verification:
 
 - **mksquashfs 4.6.1**: SHA256 hash `9c4974e07c61547dae14af4ed1f358b7d04618ae194e54d6be72ee126f0d2f53`
-- **zsyncmake 0.6.2**: SHA256 hash `0b9d53433387aa4f04634a6c63a5efa8203070f2298af72a705f9be3dda65af2` (already verified)
+- **zsyncmake 0.6.2**: SHA256 hash `0b9d53433387aa4f04634a6c63a5efa8203070f2298af72a705f9be3dda65af2`
 - **desktop-file-validate 0.28**: SHA256 hash `379ecbc1354d0c052188bdf5dbbc4a020088ad3f9cab54487a5852d1743a4f3b`
 
+These are versioned dependencies where hash verification is practical and effective.
+
 ## Build Provenance Attestation
 
 The GitHub Actions workflow generates cryptographically signed build provenance attestations using GitHub's attestation service. These attestations:
@@ -63,7 +76,13 @@ These sanitizers help detect:
 - Memory errors (use-after-free, buffer overflows, memory leaks)
 - Undefined behavior (integer overflow, null pointer dereferences, etc.)
 
-Note: Sanitizers cannot be used with static builds and are intended for development/testing only.
+**Note**: Sanitizers cannot be used with static builds and are intended for development/testing only.
+
+**Future Enhancement**: To be fully effective, sanitizer builds should be run in CI with both:
+- The full application exercising real-world use cases
+- Unit tests covering both happy paths and error handling paths
+
+This would catch issues before they reach production.
 
 ## Updating Hashes
 

ci/build.sh

@@ -45,39 +45,14 @@ chmod +x AppDir/AppRun
 
 wget https://github.com/AppImage/type2-runtime/releases/download/continuous/runtime-"$ARCH"
 
-# Verify runtime hash for supply chain security
-# These hashes are from the continuous release and should be updated when the runtime is updated
-case "$ARCH" in
-    x86_64)
-        expected_hash="e70ffa9b69b211574d0917adc482dd66f25a0083427b5945783965d55b0b0a8b"
-        ;;
-    i686)
-        expected_hash="3138b9f0c7a1872cfaf0e32db87229904524bb08922032887b298b22aed16ea8"
-        ;;
-    aarch64)
-        expected_hash="c1b2278cf0f42f5c603ab9a0fe43314ac2cbedf80b79a63eb77d3a79b42600c5"
-        ;;
-    armhf)
-        expected_hash="6704e63466fa53394eb9326076f6b923177e9eb48840b85acf1c65a07e1fcf2b"
-        ;;
-    *)
-        echo "Warning: Unknown architecture $ARCH, skipping hash verification"
-        expected_hash=""
-        ;;
-esac
-
-if [ -n "$expected_hash" ]; then
-    echo "Verifying runtime-$ARCH hash..."
-    echo "$expected_hash  runtime-$ARCH" | sha256sum -c || {
-        echo "ERROR: Runtime hash verification failed for $ARCH"
-        echo "Expected: $expected_hash"
-        echo "Got:      $(sha256sum runtime-$ARCH | awk '{print $1}')"
-        exit 1
-    }
-    echo "Runtime hash verified successfully"
-else
-    echo "Warning: Runtime hash not verified for $ARCH"
-fi
+# NOTE: Hash verification for continuous releases has limitations:
+# - Continuous releases are updated regularly, causing hash mismatches
+# - This will break when type2-runtime is updated
+# - For production use, consider:
+#   1. Using versioned/tagged releases instead of continuous, OR
+#   2. Implementing GPG signature verification (download .sig and verify with GPG), OR
+#   3. Automatically updating hashes when type2-runtime changes
+# For now, we print the hash for transparency but skip strict verification.
 
 # Print runtime information for transparency
 echo "Runtime file: runtime-$ARCH"

ci/install-static-desktop-file-validate.sh

@@ -32,7 +32,7 @@ if [[ "$version" == "0.28" ]]; then
     echo "$expected_hash  desktop-file-utils-$version.tar.gz" | sha256sum -c || {
         echo "ERROR: desktop-file-utils tarball hash verification failed"
         echo "Expected: $expected_hash"
-        echo "Got:      $(sha256sum desktop-file-utils-$version.tar.gz | awk '{print $1}')"
+        echo "Got:      $(sha256sum desktop-file-utils-$version.tar.gz)"
         exit 1
     }
     echo "Tarball hash verified successfully"

ci/install-static-mksquashfs.sh

@@ -28,7 +28,7 @@ echo "Verifying mksquashfs tarball hash..."
 echo "$expected_hash  $version.tar.gz" | sha256sum -c || {
     echo "ERROR: mksquashfs tarball hash verification failed"
     echo "Expected: $expected_hash"
-    echo "Got:      $(sha256sum $version.tar.gz | awk '{print $1}')"
+    echo "Got:      $(sha256sum $version.tar.gz)"
     exit 1
 }
 echo "Tarball hash verified successfully"