Summary
The installer script (install.sh, lines 178–198, 257–265) downloads a checksums file and verifies SHA-256 integrity. However:
If neither shasum nor sha256sum is available (lines 193–196), verification is silently skipped with only a warning
If the checksums file itself cannot be downloaded (lines 263–264), verification is skipped entirely
An attacker who can manipulate the download (MITM without HTTPS pinning) could serve a binary without the checksum file.
Impact
Severity: MediumUsers may install a tampered binary without realising verification was skipped.
Proposed Fix
Make checksum verification mandatory — fail if sha256sum is unavailable or the checksums file cannot be downloaded
Consider adding GPG/Sigstore signature verification (see also Add GitHub artifact attestations for release binaries #542
Note: #542 covers GitHub artifact attestations which is complementary but separate from installer-side verification.
Summary
The installer script (
install.sh, lines 178–198, 257–265) downloads a checksums file and verifies SHA-256 integrity. However:shasumnorsha256sumis available (lines 193–196), verification is silently skipped with only a warningAn attacker who can manipulate the download (MITM without HTTPS pinning) could serve a binary without the checksum file.
Impact
Proposed Fix
Note: #542 covers GitHub artifact attestations which is complementary but separate from installer-side verification.