Skip to content

Verify SHA256 checksum before installing just-lsp binary #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abumalick wants to merge 1 commit into
base: main
Choose a base branch
from
+128 −1
Open

Verify SHA256 checksum before installing just-lsp binary #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ edition = "2024"
crate-type = ["cdylib"]

[dependencies]
sha2 = "0.10"
zed_extension_api = "0.7.0"

[profile.release]
Expand Down
50 changes: 49 additions & 1 deletion src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
use std::fs;

use sha2::{Digest, Sha256};
use zed_extension_api::{
http_client::{HttpMethod, HttpRequest, RedirectPolicy},
Architecture, Command, DownloadedFileType, Extension, GithubReleaseOptions, LanguageServerId,
Os, Result, Worktree, current_platform, download_file, latest_github_release,
make_file_executable, register_extension,
Expand Down Expand Up @@ -75,6 +77,52 @@ impl JustExtension {

// Check if already downloaded
if !fs::metadata(&binary_path).is_ok_and(|stat| stat.is_file()) {
// Fetch SHA256SUMS from the release
let checksums_asset = release
.assets
.iter()
.find(|a| a.name == "SHA256SUMS")
.ok_or("SHA256SUMS not found in release assets")?;

let checksums_response = HttpRequest {
url: checksums_asset.download_url.clone(),
method: HttpMethod::Get,
headers: vec![],
body: None,
redirect_policy: RedirectPolicy::FollowAll,
}
.fetch()?;

Comment thread
abumalick marked this conversation as resolved.
let checksums_text = String::from_utf8(checksums_response.body)
.map_err(|e| format!("Invalid SHA256SUMS encoding: {e}"))?;

let expected_hash = checksums_text
.lines()
.find(|line| line.ends_with(asset_name.as_str()))
.and_then(|line| line.split_whitespace().next())
.ok_or_else(|| {
format!("Checksum for {asset_name} not found in SHA256SUMS")
})?;
Comment thread
abumalick marked this conversation as resolved.

// Download archive and verify its SHA256 checksum
let archive_response = HttpRequest {
url: asset.download_url.clone(),
method: HttpMethod::Get,
headers: vec![],
body: None,
redirect_policy: RedirectPolicy::FollowAll,
}
.fetch()?;

let computed_hash = format!("{:x}", Sha256::digest(&archive_response.body));

if computed_hash != expected_hash {
return Err(format!(
"Checksum verification failed for {asset_name}: expected {expected_hash}, got {computed_hash}"
));
}

// Checksum verified — download and extract
download_file(
Comment thread
abumalick marked this conversation as resolved.
&asset.download_url,
&version_dir,
Expand All @@ -83,7 +131,7 @@ impl JustExtension {
_ => DownloadedFileType::GzipTar,
},
)
.map_err(|e| format!("Failed to download just-lsp: {}", e))?;
.map_err(|e| format!("Failed to download just-lsp: {e}"))?;

make_file_executable(&binary_path)?;
}
Expand Down
Loading