rv downloads precompiled Ruby tarballs from rv-ruby and extracts them without any integrity check. A tampered tarball installs silently.
Blocked by: spinel-coop/rv-ruby#54
Proposed changes
- Fetch or embed the
SHA256SUMS file from the rv-ruby release
- Verify the downloaded tarball's SHA256 before extraction
- Fail with a clear error on mismatch
Prior art
uv does this for python-build-standalone. At build time, a script collects SHA256 hashes from GitHub release assets (via the API digest field or SHA256SUMS files) and writes them into a JSON metadata file compiled into the binary via include_bytes!. At install time, uv wraps the download stream in a HashReader that computes SHA256 during extraction, then compares against the compiled-in hash. On mismatch it refuses to install. rv could take a similar approach or start simpler by fetching and verifying SHA256SUMS at install time.
rv downloads precompiled Ruby tarballs from rv-ruby and extracts them without any integrity check. A tampered tarball installs silently.
Blocked by: spinel-coop/rv-ruby#54
Proposed changes
SHA256SUMSfile from the rv-ruby releasePrior art
uv does this for python-build-standalone. At build time, a script collects SHA256 hashes from GitHub release assets (via the API digest field or
SHA256SUMSfiles) and writes them into a JSON metadata file compiled into the binary viainclude_bytes!. At install time, uv wraps the download stream in aHashReaderthat computes SHA256 during extraction, then compares against the compiled-in hash. On mismatch it refuses to install. rv could take a similar approach or start simpler by fetching and verifyingSHA256SUMSat install time.