Skip to content

feat(security): SHA256 verification + icm upgrade --apply command#103

Merged
pszymkowiak merged 1 commit intomainfrom
feat/upgrade-command
Apr 12, 2026
Merged

feat(security): SHA256 verification + icm upgrade --apply command#103
pszymkowiak merged 1 commit intomainfrom
feat/upgrade-command

Conversation

@pszymkowiak
Copy link
Copy Markdown
Contributor

@pszymkowiak pszymkowiak commented Apr 12, 2026

Summary

Adds mandatory SHA256 verification to all install/upgrade paths.

install.sh

  • Downloads checksums.txt alongside the binary archive
  • Verifies SHA256 before extraction
  • Aborts install if checksum mismatch (tamper detection)
  • Works on macOS (shasum) and Linux (sha256sum)

New `icm upgrade` command

  • `icm upgrade --check` — check if new version available (no install)
  • `icm upgrade --apply` — download + verify + install atomically
  • Mandatory SHA256 verification before replacing the running binary
  • Atomic replacement with rollback on failure
  • Refuses to upgrade if SHA256 mismatch

Security properties

  • No binary is ever installed without SHA256 verification (install + upgrade)
  • Checksums are published by the release workflow (already creates `checksums.txt`)
  • User sees the verified hash on success, error on mismatch

Test plan

  • `cargo build` OK
  • `icm upgrade --check` correctly reports current vs latest
  • Install script checksum verification tested

@pszymkowiak
feat(security): add SHA256 checksum verification + icm upgrade --apply
67e7d05 
- install.sh now MANDATORY verifies SHA256 against checksums.txt before installing
- New 'icm upgrade --check' / 'icm upgrade --apply' command:
  - Fetches latest release from GitHub
  - Downloads binary + checksums.txt
  - Verifies SHA256 before replacing running binary
  - Atomic replacement with rollback on failure
  - Refuses to upgrade if SHA256 mismatch (tamper detection)

Security: no binary is ever installed without SHA256 verification.
@pszymkowiak pszymkowiak force-pushed the feat/upgrade-command branch from 36a7283 to 67e7d05 Compare April 12, 2026 18:40
@pszymkowiak
Copy link
Copy Markdown
Contributor Author

pszymkowiak commented Apr 12, 2026

wshm · Automated triage by AI

📊 Automated PR Analysis
Type feature
🔴 Risk high

Summary

Adds mandatory SHA256 checksum verification to the install script and introduces a new icm upgrade command (with --check and --apply flags) that downloads, verifies, and atomically replaces the running binary. Also switches JSON config parsing to serde_json_lenient to tolerate trailing commas in user-edited files.

Review Checklist

  • Tests present
  • Breaking change
  • Docs updated

Analyzed automatically by wshm · This is an automated analysis, not a human review.

@pszymkowiak pszymkowiak merged commit 3aa18b1 into main Apr 12, 2026
4 checks passed
@github-actions github-actions bot mentioned this pull request Apr 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature needs-tests security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pszymkowiak