Merge branch 'main' into rama-integration-beta

2026-05-26 12:10:49 +00:00 · 2026-05-04 14:10:34 +02:00 · 2026-05-04 14:10:34 +02:00 · 9f0e1aeab0
commit 9f0e1aeab0
parent 64a825f43a 7b39239b81
9 changed files with 232 additions and 10 deletions
--- a/install-scripts/install-endpoint-mac.sh
+++ b/install-scripts/install-endpoint-mac.sh
@ -7,8 +7,8 @@
 set -e  # Exit on error

 # Configuration
-INSTALL_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.2.23/EndpointProtection.pkg"
-DOWNLOAD_SHA256="9af1e0f72e53516c888ade1753ed03f087c1def89244eb0afb60e1f11e8e87e2"
+INSTALL_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.3.4/EndpointProtection.pkg"
+DOWNLOAD_SHA256="f2ea55588d42e4aa17545ad787f46dd36001009e2ddb9655c497b1a36edf3581"
 TOKEN_FILE="/tmp/aikido_endpoint_token.txt"

 # Colors for output
--- a/install-scripts/install-endpoint-windows.ps1
+++ b/install-scripts/install-endpoint-windows.ps1
@ -7,8 +7,8 @@ param(
 )

 # Configuration
-$InstallUrl = "https://github.com/AikidoSec/safechain-internals/releases/download/v1.2.23/EndpointProtection.msi"
-$DownloadSha256 = "3327d35db6654d12dbd7c5ccec0645edb0277f71dcd993ba9733e266bbd235f8"
+$InstallUrl = "https://github.com/AikidoSec/safechain-internals/releases/download/v1.3.4/EndpointProtection.msi"
+$DownloadSha256 = "0699379716a9a8b1531befa538befb237252af9f7fd780b33f4dce73588c6f83"

 # Ensure TLS 1.2 is enabled for downloads
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
--- a/install-scripts/install-safe-chain.ps1
+++ b/install-scripts/install-safe-chain.ps1
@ -52,6 +52,20 @@ $SafeChainBase = $installDirValidation.Normalized
 $InstallDir = Join-Path $SafeChainBase "bin"
 $RepoUrl = "https://github.com/AikidoSec/safe-chain"

+# SHA256 checksums for release binaries.
+# Empty in source; populated by the release pipeline.
+# When empty (running from main), checksum verification is skipped.
+# Non-Windows hashes are unused today (PS script is Windows-only) but baked in
+# for future cross-platform support.
+$SHA256_MACOS_X64 = ""
+$SHA256_MACOS_ARM64 = ""
+$SHA256_LINUX_X64 = ""
+$SHA256_LINUX_ARM64 = ""
+$SHA256_LINUXSTATIC_X64 = ""
+$SHA256_LINUXSTATIC_ARM64 = ""
+$SHA256_WIN_X64 = ""
+$SHA256_WIN_ARM64 = ""
+
 # Ensure TLS 1.2 is enabled for downloads
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

@ -166,6 +180,38 @@ function Get-BinaryName {
    return "safe-chain-win-$Architecture.exe"
 }

+# Returns the expected SHA256 for the given OS+arch, or empty if not baked in.
+function Get-ExpectedSha256 {
+    param([string]$Os, [string]$Architecture)
+    switch ("$Os-$Architecture") {
+        "macos-x64"         { return $SHA256_MACOS_X64 }
+        "macos-arm64"       { return $SHA256_MACOS_ARM64 }
+        "linux-x64"         { return $SHA256_LINUX_X64 }
+        "linux-arm64"       { return $SHA256_LINUX_ARM64 }
+        "linuxstatic-x64"   { return $SHA256_LINUXSTATIC_X64 }
+        "linuxstatic-arm64" { return $SHA256_LINUXSTATIC_ARM64 }
+        "win-x64"           { return $SHA256_WIN_X64 }
+        "win-arm64"         { return $SHA256_WIN_ARM64 }
+        default             { return "" }
+    }
+}
+
+function Test-Checksum {
+    param([string]$File, [string]$Expected)
+
+    if ([string]::IsNullOrWhiteSpace($Expected)) { return }
+
+    $actual = (Get-FileHash -Path $File -Algorithm SHA256).Hash.ToLowerInvariant()
+    $expectedLower = $Expected.ToLowerInvariant()
+
+    if ($actual -ne $expectedLower) {
+        Remove-Item -Path $File -Force -ErrorAction SilentlyContinue
+        Write-Error-Custom "Checksum verification failed. Expected: $expectedLower, Got: $actual"
+    }
+
+    Write-Info "Checksum verified."
+}
+
 # Runs safe-chain setup or setup-ci after the binary is installed.
 # Temporarily appends the install directory to PATH and downgrades setup failures to warnings.
 function Invoke-SafeChainSetup {
@ -305,6 +351,9 @@ function Install-SafeChain {
        Write-Error-Custom "Failed to download from $downloadUrl : $_"
    }

+    $expectedSha = Get-ExpectedSha256 -Os "win" -Architecture $arch
+    Test-Checksum -File $tempFile -Expected $expectedSha
+
    # Rename to final location
    $finalFile = Join-Path $InstallDir "safe-chain.exe"
    try {
--- a/install-scripts/install-safe-chain.sh
+++ b/install-scripts/install-safe-chain.sh
@ -55,6 +55,18 @@ SAFE_CHAIN_BASE="${HOME}/.safe-chain"
 INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
 REPO_URL="https://github.com/AikidoSec/safe-chain"

+# SHA256 checksums for release binaries.
+# Empty in source; populated by the release pipeline via sed.
+# When empty (running from main), checksum verification is skipped.
+SHA256_MACOS_X64=""
+SHA256_MACOS_ARM64=""
+SHA256_LINUX_X64=""
+SHA256_LINUX_ARM64=""
+SHA256_LINUXSTATIC_X64=""
+SHA256_LINUXSTATIC_ARM64=""
+SHA256_WIN_X64=""
+SHA256_WIN_ARM64=""
+
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
@ -156,6 +168,57 @@ fetch_latest_version() {
    echo "$latest_version"
 }

+# Returns the expected SHA256 for the detected platform, or empty if the
+# release pipeline has not baked one in (i.e. running the source from main).
+get_expected_sha256() {
+    os="$1"; arch="$2"
+    case "${os}-${arch}" in
+        macos-x64)         echo "$SHA256_MACOS_X64" ;;
+        macos-arm64)       echo "$SHA256_MACOS_ARM64" ;;
+        linux-x64)         echo "$SHA256_LINUX_X64" ;;
+        linux-arm64)       echo "$SHA256_LINUX_ARM64" ;;
+        linuxstatic-x64)   echo "$SHA256_LINUXSTATIC_X64" ;;
+        linuxstatic-arm64) echo "$SHA256_LINUXSTATIC_ARM64" ;;
+        win-x64)           echo "$SHA256_WIN_X64" ;;
+        win-arm64)         echo "$SHA256_WIN_ARM64" ;;
+        *)                 echo "" ;;
+    esac
+}
+
+compute_sha256() {
+    file="$1"
+    if command_exists sha256sum; then
+        sha256sum "$file" | awk '{print $1}'
+    elif command_exists shasum; then
+        shasum -a 256 "$file" | awk '{print $1}'
+    else
+        echo ""
+    fi
+}
+
+# Verifies the downloaded binary against the expected hash baked in by the release pipeline.
+# No-op when no expected hash is set (running the script from main).
+verify_checksum() {
+    file="$1"; expected="$2"
+
+    if [ -z "$expected" ]; then
+        return
+    fi
+
+    actual=$(compute_sha256 "$file")
+    if [ -z "$actual" ]; then
+        rm -f "$file"
+        error "Cannot verify checksum: neither sha256sum nor shasum is available. Install one and re-run."
+    fi
+
+    if [ "$actual" != "$expected" ]; then
+        rm -f "$file"
+        error "Checksum verification failed. Expected: $expected, Got: $actual"
+    fi
+
+    info "Checksum verified."
+}
+
 # Download file
 download() {
    url="$1"
@ -432,6 +495,9 @@ main() {
    info "Downloading from: $DOWNLOAD_URL"
    download "$DOWNLOAD_URL" "$TEMP_FILE"

+    EXPECTED_SHA256=$(get_expected_sha256 "$OS" "$ARCH")
+    verify_checksum "$TEMP_FILE" "$EXPECTED_SHA256"
+
    # Rename and make executable
    FINAL_FILE=$(get_final_binary_path "$OS")
    mv "$TEMP_FILE" "$FINAL_FILE" || error "Failed to move binary to $FINAL_FILE"