hendriknielaender / zvm

⚡ Fast and simple zig version manager
MIT License
24 stars 3 forks source link

Implement Checksum Verification for Zig Binary Downloads #4

Closed hendriknielaender closed 10 months ago

hendriknielaender commented 1 year ago

For security and data integrity purposes, it's imperative that we add checksum (shasum) verification to the Zig binary downloads. This will ensure that the downloaded binaries have not been tampered with and are the exact copies of the originals.

When a Zig binary is downloaded, we should:

  1. Compute its SHA-256 hash.
  2. Compare the computed hash with the provided shasum.
  3. If they don't match, reject the binary, possibly with a HashMismatch error.
ellacrity commented 12 months ago

I would love to implement this feature if that would be okay with you!

I have a few ideas that could work well here. The way I see it, the implementation could be just a few free functions within hash.zig that read some arbitrary input buffer, and compare it to an expected value (like you already seem to have started). That ticks of 1 and 2 goals.

I like this as the approach is straightforward and easy to understand. I can implement the functionality compute the downloaded file hash, compare it to the provided checksum file contents and also write whatever else is required to meet your goal 3.

Would you prefer that the implementation be free functions in hash.zig module? Or do you want something a bit more flexible, like a generic Validator function (interface), or what not, allowing more flexibility in the future at the cost of adding immediate complexity?

hendriknielaender commented 12 months ago

Hi @ellacrity,

Thanks for wanting to help with adding the checksum verification. I like your simple and clear approach of using free functions in the hash.zig module. I believe this aligns well with the current structure of the project.

I don't have a preferred way of implementation and am open to the proposed method, which balances simplicity and effectiveness.

I'm happy to assign this task to you. Please feel free to reach out if you have any further questions or need clarification on any aspect as you work through this.

Looking forward to your work on this!

ellacrity commented 12 months ago

I did not notice at first that you were using a v0.11.0 Zig toolchain. I assume this is not going to change until the next major release (0.12.0)?

The reason I ask is that there are breaking changes that occurred due to the std.http.Client struct. I just wanted to double check with you before implementing this. I track the master branch but I will of course use 0.11.0 unless told otherwise.

hendriknielaender commented 12 months ago

Yes, your assumptions were correct :)

I have added Compatibility Notes to the readme. Already a good catch, as soon as 0.12 gets released we need to do the migration for std.http.Client.

hendriknielaender commented 11 months ago

Any updates? Just asking, otherwise I would go ahead and adjust my open PR.