fix: add SHA256 verification to fetch-busybox Makefile target

tomassrnka · claude · e2b · commit 83229acc9d3a · 2026-04-01T17:13:43.000+02:00
Download SHA256SUMS from the fc-busybox release and verify the binary
checksum, matching the Dockerfile verification pattern. All build paths
now verify integrity.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/orchestrator/Makefile b/packages/orchestrator/Makefile
@@ -30,19 +30,23 @@ build:
 BUSYBOX_VERSION ?= 1.36.1
 BUSYBOX_EMBED := pkg/template/build/core/systeminit/busybox
 BUSYBOX_STAMP := $(BUSYBOX_EMBED).stamp
+BUSYBOX_RELEASE_URL := https://github.com/e2b-dev/fc-busybox/releases/download/v$(BUSYBOX_VERSION)
 
-# Download busybox if missing or version/arch changed. For Docker builds,
-# the Dockerfile downloads and verifies the binary separately — this target
-# is only used by build-local and build-debug (local dev / CI).
+# Download busybox and verify SHA256 against published checksums.
+# Skips if binary exists and version/arch match the stamp file.
 .PHONY: fetch-busybox
 fetch-busybox:
 	@if [ ! -f $(BUSYBOX_EMBED) ] || [ "$$(cat $(BUSYBOX_STAMP) 2>/dev/null)" != "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" ]; then \
+		BINARY="busybox_v$(BUSYBOX_VERSION)_$(BUILD_ARCH)"; \
 		echo "Downloading busybox v$(BUSYBOX_VERSION) ($(BUILD_ARCH))..."; \
-		curl -sfL -o $(BUSYBOX_EMBED).tmp "https://github.com/e2b-dev/fc-busybox/releases/download/v$(BUSYBOX_VERSION)/busybox_v$(BUSYBOX_VERSION)_$(BUILD_ARCH)" \
-			&& mv $(BUSYBOX_EMBED).tmp $(BUSYBOX_EMBED) \
+		curl -sfL -o /tmp/$$BINARY "$(BUSYBOX_RELEASE_URL)/$$BINARY" \
+			&& curl -sfL -o /tmp/SHA256SUMS "$(BUSYBOX_RELEASE_URL)/SHA256SUMS" \
+			&& (cd /tmp && grep "$$BINARY" SHA256SUMS | sha256sum -c -) \
+			&& mv /tmp/$$BINARY $(BUSYBOX_EMBED) \
 			&& chmod +x $(BUSYBOX_EMBED) \
 			&& echo "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" > $(BUSYBOX_STAMP) \
-			|| { rm -f $(BUSYBOX_EMBED).tmp; echo "ERROR: failed to download busybox"; exit 1; }; \
+			&& rm -f /tmp/SHA256SUMS \
+			|| { rm -f /tmp/$$BINARY /tmp/SHA256SUMS; echo "ERROR: failed to download or verify busybox"; exit 1; }; \
 	fi
 
 .PHONY: build-local
