Skip to content

feat: Introduce Installer Manifests for Download Verification #5

New issue
New issue
Open
Feature
Open
feat: Introduce Installer Manifests for Download Verification#5
Feature
Labels
enhancementNew feature or requesthelp wantedExtra attention is neededneeds-design
@lykhvar

Description

@lykhvar
lykhvar
opened on Jun 28, 2025

The Problem

Currently, vet does an excellent job of verifying the installer script itself against malicious changes. However, it still relies on the user to manually read that script to understand what remote files (binaries, archives, configs) it will download.

This leaves a gap in the security chain. A user can approve a script that looks safe, without having a clear, machine-verifiable guarantee of what artifacts it will actually fetch from the internet.

The Proposed Solution

This feature introduces the concept of an Installer Manifest. vet will be enhanced to read a separate manifest file that explicitly declares all the remote files an installer is expected to download, along with their cryptographic checksums.

This transforms the implicit actions of a script into an explicit, auditable, and verifiable declaration of intent.

How It Would Work

A project wishing to support this would provide two files:

  • install.sh: The standard installer script.

  • install.manifest.json: A new file declaring the downloads.

Example install.manifest.json:

{
  "$schema": "https://getvet.sh/schemas/manifest-v1.json",
  "description": "Installer v1.0.0",
  "files": [
    {
      "url": "https://github.com/org/app/releases/download/v1.0.0/app-linux-amd64.tar.gz",
      "sha256": "a1b...",
      "destination": "/tmp/app.tar.gz"
    },
    {
      "url": "https://raw.githubusercontent.com/org/app/main/config/default.yml",
      "sha256": "f6e...",
      "destination": "/etc/app/config.yml"
    }
  ]
}

The New vet Workflow:

vet would gain a new flag to process the manifest:

vet --manifest https://.../install.manifest.json https://.../install.sh

  1. Fetch & Parse: vet first downloads and parses the manifest file.

  2. User Approval: vet displays a clean summary to the user:

    This script declares it will download the following files:
     
     -   .../app-linux-amd64.tar.gz
         
     -   .../default.yml
         
     
    Do you approve these downloads? [y/N]

  1. Secure & Verify Downloads: If the user approves, vet will take over the download process itself. It will:
    a. Download each file declared in the manifest to a secure temporary location.
    b. Verify the checksum of each downloaded file against the sha256 value in the manifest. If any checksum fails, the entire process aborts.

  2. Run the Script with Local Files: vet will then execute the install.sh script, but it will replace the real curl/wget commands with a mock that only serves the already downloaded and verified files from the local cache. The installer script runs, thinking it's downloading from the internet, but it's actually just getting the safe, pre-vetted local files.

Acceptance Criteria

  • vet has a new --manifest flag that accepts a URL to a JSON manifest.

  • vet correctly parses the manifest and displays a summary to the user for approval.

  • vet downloads and verifies the checksum of every file listed in the manifest.

  • vet can execute the installer script in a sandboxed-like environment where network calls for the declared URLs are intercepted and served from a local, verified cache.

  • The process fails securely if any checksum does not match.

  • The feature is fully documented in the README.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is neededneeds-design

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions