@aryaminus/controlkeel 0.3.8 → 0.3.9

package/SECURITY.md

@@ -24,7 +24,7 @@ The `postinstall` script (`lib/postinstall.js`) performs the following actions:
 ### Security considerations
 
 - **Source**: Binaries are downloaded exclusively from official GitHub Releases
-- **Verification**: The download process uses GitHub's authenticated release endpoints
+- **Checksum verification**: After download, the installer fetches `SHASUMS256.txt` from the same release and verifies the SHA-256 digest of the downloaded binary before installing it. A mismatch causes the install to fail and the partial download is removed.
 - **Transparency**: The source code for the bootstrap installer is fully visible in this repository
 - **Opt-out**: Users can skip automatic download by setting `CONTROLKEEL_SKIP_DOWNLOAD=1`
 - **No external dependencies**: The bootstrap installer has no runtime dependencies beyond Node.js built-ins
@@ -60,4 +60,4 @@ This package is designed with supply chain security in mind:
 - **Signed releases**: GitHub Releases provide cryptographic verification
 - **Transparent source**: All installer code is open and auditable
 
-For detailed information about the native binary build process and security practices, see the main repository's [security documentation](https://github.com/aryaminus/controlkeel/blob/main/SECURITY.md).
+For detailed information about the native binary build process and security practices, see the main repository's [security documentation](https://github.com/aryaminus/controlkeel/blob/main/SECURITY.md).

package/lib/install.js

@@ -1,5 +1,6 @@
 "use strict";
 
+const crypto = require("node:crypto");
 const fs = require("node:fs");
 const os = require("node:os");
 const path = require("node:path");
@@ -85,6 +86,72 @@ function download(url, destination) {
   });
 }
 
+function downloadText(url) {
+  return new Promise((resolve, reject) => {
+    const request = https.get(url, (response) => {
+      if (response.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        response.resume();
+        downloadText(response.headers.location).then(resolve, reject);
+        return;
+      }
+
+      if (response.statusCode !== 200) {
+        reject(new Error(`Failed to download ${url} (HTTP ${response.statusCode})`));
+        return;
+      }
+
+      let data = "";
+      response.on("data", (chunk) => { data += chunk; });
+      response.on("end", () => resolve(data));
+    });
+
+    request.on("error", reject);
+  });
+}
+
+function sha256File(filePath) {
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash("sha256");
+    const stream = fs.createReadStream(filePath);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+
+async function verifyChecksum(filePath, asset) {
+  const checksumUrl = `${releaseBaseUrl()}/SHASUMS256.txt`;
+
+  let checksumText;
+  try {
+    checksumText = await downloadText(checksumUrl);
+  } catch {
+    // Checksum file not available for this release — skip verification but warn.
+    console.warn(`[controlkeel] Warning: could not download checksum file from ${checksumUrl}. Skipping integrity check.`);
+    return;
+  }
+
+  const expectedHash = checksumText
+    .split("\n")
+    .map((line) => line.trim().split(/\s+/))
+    .find(([, name]) => name === asset || name === `./${asset}`)?.[0];
+
+  if (!expectedHash) {
+    console.warn(`[controlkeel] Warning: no checksum entry found for ${asset}. Skipping integrity check.`);
+    return;
+  }
+
+  const actualHash = await sha256File(filePath);
+
+  if (actualHash !== expectedHash) {
+    fs.rmSync(filePath, { force: true });
+    throw new Error(
+      `Checksum mismatch for ${asset}.\n  Expected: ${expectedHash}\n  Got:      ${actualHash}\n` +
+      `The downloaded binary has been removed. Retry the installation or set CONTROLKEEL_SKIP_DOWNLOAD=1 and install manually.`
+    );
+  }
+}
+
 async function ensureBinary({ forceDownload = false } = {}) {
   const destination = binaryPath();
 
@@ -93,10 +160,13 @@ async function ensureBinary({ forceDownload = false } = {}) {
   }
 
   ensureVendorDir();
-  const tempPath = path.join(os.tmpdir(), `${assetName()}-${Date.now()}`);
-  const url = `${releaseBaseUrl()}/${assetName()}`;
+  const asset = assetName();
+  const tempPath = path.join(os.tmpdir(), `${asset}-${Date.now()}`);
+  const url = `${releaseBaseUrl()}/${asset}`;
 
   await download(url, tempPath);
+  await verifyChecksum(tempPath, asset);
+
   fs.copyFileSync(tempPath, destination);
   fs.rmSync(tempPath, { force: true });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aryaminus/controlkeel",
-  "version": "0.3.8",
+  "version": "0.3.9",
   "description": "Bootstrap installer for the ControlKeel native CLI - a control plane for agent-generated software delivery.",
   "license": "Apache-2.0",
   "author": {

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/aryaminus/controlkeel.git",
     "source": "github"
   },
-  "version": "0.3.8",
+  "version": "0.3.9",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@aryaminus/controlkeel",
-      "version": "0.3.8",
+      "version": "0.3.9",
       "runtimeHint": "npx",
       "transport": {
         "type": "stdio"