fix: add SHA256 checksum verification for native dependency downloads#208
Merged
fix: add SHA256 checksum verification for native dependency downloads#208
Conversation
Fixes CI failure where autoconf download via ftpmirror.gnu.org failed because --proto =https blocked HTTP mirror redirects. Downloads now go to files with SHA256 verification instead of piping to tar, making HTTP redirects safe. Also adds checksums for all 8 library downloads in build-config.sh and auto-updates them in check-native-updates.sh.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="scripts/check-native-updates.sh">
<violation number="1" location="scripts/check-native-updates.sh:136">
P2: Handle checksum-tool failure before updating SHA variables; otherwise a missing `shasum` can produce an invalid checksum update.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
![recurseml[bot]](https://avatars.githubusercontent.com/in/1054195?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by RecurseML
🔍 Review performed on 98f387c..04d1867
✨ No bugs found, your code is sparkling clean
✅ Files analyzed, no issues (3)
• .github/workflows/build.yml
• native/build-config.sh
• scripts/check-native-updates.sh
Add portable sha256_check/sha256_compute helpers that work with both sha256sum (Linux) and shasum (macOS), failing explicitly if neither is available. Validate computed hashes are 64-char hex before writing to build-config.sh. Use sha256sum in build.yml since the runner is Ubuntu.
macOS BSD sha256sum doesn't support --check/--status flags. Replace flag-based verification with compute-and-compare approach. Prefer shasum (available on macOS and most Linux) over sha256sum.
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="scripts/check-native-updates.sh">
<violation number="1" location="scripts/check-native-updates.sh:137">
P2: `sha256_compute` is called without being available in the current shell, so checksum auto-update fails and is silently masked by `|| true`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
sha256_compute was defined in build-config.sh but only sourced in a subshell for URL extraction, making it unavailable for hash computation. Source in current shell so both the URL variables and helper functions are accessible.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--proto =httpsblocked HTTP mirror redirects from ftpmirror.gnu.org, causingxz: File format not recognizedbuild-config.shcheck-native-updates.shto auto-compute and update checksums when bumping versionsTest plan
High-level PR Summary
This PR adds SHA256 checksum verification for native dependency downloads to improve security and fix a CI failure caused by
--proto =httpsblocking HTTP mirror redirects. The changes include adding SHA256 checksums for all 8 native libraries inbuild-config.sh, updating the download function to verify checksums, modifying the CI workflow to download autoconf/automake with checksum verification instead of piping directly from curl, and enhancing thecheck-native-updates.shscript to automatically compute and update checksums when dependency versions are bumped.⏱️ Estimated Review Time: 15-30 minutes
💡 Review Order Suggestion
native/build-config.sh.github/workflows/build.ymlscripts/check-native-updates.shSummary by cubic
Adds SHA256 verification for all native dependency downloads and fixes CI by switching to file downloads with checksum checks, making HTTP mirror redirects safe. Uses portable compute-and-compare SHA256 helpers across Linux and macOS and ensures
check-native-updates.shsources helpers in the current shell.sha256sum -cfor autoconf 2.72 and automake 1.18.1, resolving ftpmirror redirects.shasum, fallbacksha256sum).scripts/check-native-updates.shcomputes and writes new SHA256 on version bumps, validates 64-char hex, and sourcesnative/build-config.shin the current shell for URLs andsha256_compute.Written for commit d6ac9a2. Summary will update on new commits.