Verify SHA256 checksum before installing just-lsp binary#40
Open
abumalick wants to merge 1 commit intojackTabsCode:mainfrom
Open
Verify SHA256 checksum before installing just-lsp binary#40abumalick wants to merge 1 commit intojackTabsCode:mainfrom
abumalick wants to merge 1 commit intojackTabsCode:mainfrom
Conversation
Download SHA256SUMS from the release and verify the archive checksum before extracting, preventing supply chain attacks via tampered binaries.
There was a problem hiding this comment.
Pull request overview
Adds SHA256 checksum verification for the just-lsp release archive prior to installation to improve supply-chain integrity.
Changes:
- Introduces
sha2dependency and computes SHA256 for the downloaded release archive. - Fetches
SHA256SUMSfrom release assets and compares expected vs computed hash before proceeding. - Updates download error formatting for
download_file.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/lib.rs | Fetches SHA256SUMS + archive, computes SHA256, compares, then proceeds to download/extract. |
| Cargo.toml | Adds sha2 dependency for hashing. |
| Cargo.lock | Locks transitive dependencies introduced by sha2. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SHA256SUMSfrom the just-lsp release and verifies the archive checksum before extractingsha2crate dependency for hash computationHow it works
SHA256SUMSfrom the release assetshttp_client::fetchand computes its SHA256download_filefor extractionTrade-off
The archive is downloaded twice (once for verification, once for extraction via
download_filewhich is the only API available for tar.gz/zip extraction in the WASM sandbox). This is a one-time cost per version and worth it for supply chain security.