Merge pull request #794 from github/devm33/checksum

devm33 · web-flow · commit e5349eb6a8ad · 2025-12-17T10:42:20.000-05:00
Add checksum validation to install script
diff --git a/install.sh b/install.sh
@@ -42,26 +42,61 @@ if [ -n "$VERSION" ]; then
     *) VERSION="v$VERSION" ;;
   esac
   DOWNLOAD_URL="https://github.com/github/copilot-cli/releases/download/${VERSION}/copilot-${PLATFORM}-${ARCH}.tar.gz"
+  CHECKSUMS_URL="https://github.com/github/copilot-cli/releases/download/${VERSION}/SHA256SUMS.txt"
 else
   DOWNLOAD_URL="https://github.com/github/copilot-cli/releases/latest/download/copilot-${PLATFORM}-${ARCH}.tar.gz"
+  CHECKSUMS_URL="https://github.com/github/copilot-cli/releases/latest/download/SHA256SUMS.txt"
 fi
 echo "Downloading from: $DOWNLOAD_URL"
 
 # Download and extract with error handling
-TMP_TARBALL="$(mktemp)"
+TMP_DIR="$(mktemp -d)"
+TMP_TARBALL="$TMP_DIR/copilot-${PLATFORM}-${ARCH}.tar.gz"
 if command -v curl >/dev/null 2>&1; then
   curl -fsSL "$DOWNLOAD_URL" -o "$TMP_TARBALL"
 elif command -v wget >/dev/null 2>&1; then
   wget -qO "$TMP_TARBALL" "$DOWNLOAD_URL"
 else
   echo "Error: Neither curl nor wget found. Please install one of them."
+  rm -rf "$TMP_DIR"
   exit 1
 fi
 
+# Attempt to download checksums file and validate
+TMP_CHECKSUMS="$TMP_DIR/SHA256SUMS.txt"
+CHECKSUMS_AVAILABLE=false
+if command -v curl >/dev/null 2>&1; then
+  curl -fsSL "$CHECKSUMS_URL" -o "$TMP_CHECKSUMS" 2>/dev/null && CHECKSUMS_AVAILABLE=true
+elif command -v wget >/dev/null 2>&1; then
+  wget -qO "$TMP_CHECKSUMS" "$CHECKSUMS_URL" 2>/dev/null && CHECKSUMS_AVAILABLE=true
+fi
+
+if [ "$CHECKSUMS_AVAILABLE" = true ]; then
+  if command -v sha256sum >/dev/null 2>&1; then
+    if (cd "$TMP_DIR" && sha256sum -c --ignore-missing SHA256SUMS.txt >/dev/null 2>&1); then
+      echo "✓ Checksum validated"
+    else
+      echo "Error: Checksum validation failed." >&2
+      rm -rf "$TMP_DIR"
+      exit 1
+    fi
+  elif command -v shasum >/dev/null 2>&1; then
+    if (cd "$TMP_DIR" && shasum -a 256 -c --ignore-missing SHA256SUMS.txt >/dev/null 2>&1); then
+      echo "✓ Checksum validated"
+    else
+      echo "Error: Checksum validation failed." >&2
+      rm -rf "$TMP_DIR"
+      exit 1
+    fi
+  else
+    echo "Warning: No sha256sum or shasum found, skipping checksum validation."
+  fi
+fi
+
 # Check that the file is a valid tarball
 if ! tar -tzf "$TMP_TARBALL" >/dev/null 2>&1; then
   echo "Error: Downloaded file is not a valid tarball or is corrupted." >&2
-  rm -f "$TMP_TARBALL"
+  rm -rf "$TMP_DIR"
   exit 1
 fi
 
@@ -85,7 +120,7 @@ fi
 tar -xz -C "$INSTALL_DIR" -f "$TMP_TARBALL"
 chmod +x "$INSTALL_DIR/copilot"
 echo "✓ GitHub Copilot CLI installed to $INSTALL_DIR/copilot"
-rm -f "$TMP_TARBALL"
+rm -rf "$TMP_DIR"
 
 # Check if install directory is in PATH
 case ":$PATH:" in
