feat(install): verify release archive checksums in both installers

[mdesmet]

What

Follow-up to #930 (raised in review by @coderabbitai and the consensus panel): publish a checksums file with releases and verify downloaded archives in both the curl/bash and PowerShell installers.

Stacked on feat/windows-powershell-installer (base of this PR) because install.ps1 only exists on that branch. Merge #930 first, then this — or rebase onto main after #930 lands.

Changes

• .github/workflows/release.yml — generate checksums.txt (sha256sum *.tar.gz *.zip) and publish it as a release asset alongside the archives.
• install (bash) — verify_checksum() fetches checksums.txt, looks up the archive's expected hash, and compares (sha256sum or shasum -a 256) before extracting.
• install.ps1 — Test-Checksum fetches checksums.txt and compares Get-FileHash -Algorithm SHA256 before Expand-Archive. Replaces the deferral note from feat: Windows PowerShell installer (install.ps1) #930.
• Behavior: hard-fail on mismatch; soft-skip (with a notice) when checksums.txt is absent (releases predating this change) or unreachable, so existing version-pinned installs keep working.
• Tests — checksum-verification.test.ts asserts the release publishes the file and both installers fetch + compare + hard-fail on mismatch.

Verification

• bash -n install clean; install.ps1 parses clean and the Pester suite (6/6) still passes on PowerShell 7.6.2.
• TS: checksum-verification.test.ts green (57 pass across the install/branding set).
• The mismatch/skip paths are content-asserted here and will get live exercise on the first release that ships checksums.txt.

🤖 Generated with Claude Code

---

Summary by cubic

Adds SHA256 verification to both installers and ships a checksums.txt with each release. PowerShell pins the archive and checksum to the same tag; both installers hard-fail on mismatch and soft-skip when checksums are missing or unreachable.

• New Features

  • Release workflow generates and uploads checksums.txt for all archives.
  • Bash install and PowerShell install.ps1 fetch checksums.txt and verify before extraction; cross-platform SHA tools. PowerShell pins archive and checksums.txt to the same resolved tag to avoid a latest/ race.

• Bug Fixes

  • PowerShell: decode Byte[] Invoke-WebRequest bodies on PS 5.1; ASCII-only so the script parses on Windows PowerShell 5.1.
  • Bash: derive checksums.txt from the archive URL; safe cleanup on checksum mismatch with guards against "." and "/".
  • Tests: added packages/opencode/test/install/checksum-verification.test.ts; updated packages/opencode/test/release-validation/windows-installer-930-codex.test.ts to assert shared $base URLs and that verification runs before Expand-Archive; Pester coverage for Test-Checksum (String/Byte[]/mismatch).

^{Written for commit 1ecf6ae. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Release artifacts now include a generated SHA-256 checksums.txt to verify downloaded archives.
  • Bash installer validates the archive against checksums.txt before extraction, and fails fast on mismatches.
  • Windows installer validates the zip against checksums.txt before extraction, with improved handling for different checksum file encodings.
  • Installer downloads are now pinned to the same resolved release tag to prevent mixed assets.

• Tests

  • Added checks to ensure the release pipeline generates and uploads checksums.txt.
  • Added automated coverage for checksum verification in both bash and PowerShell, including mismatch failures and Windows decoding behavior.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The release workflow gains a step that generates checksums.txt (SHA-256 of all archives) and uploads it as a release asset. Both the bash and PowerShell installers pin download URLs to the resolved release tag and verify the downloaded archive against checksums.txt before extraction. New TypeScript static-analysis tests and Pester unit tests validate all these behaviors.

Changes

Checksum Verification Feature

Layer / File(s)	Summary
Release workflow: generate and upload checksums.txt .github/workflows/release.yml	Adds a sha256sum step that writes checksums.txt for all archives in packages/opencode/dist and includes that file in the uploaded release assets.
Bash installer: verify_checksum helper and integration install	Adds verify_checksum helper that derives the checksums.txt URL, tries sha256sum/shasum, and hard-fails with directory cleanup on mismatch. Wires the call into download_and_install after the archive download.
PowerShell installer: Test-Checksum and URL pinning install.ps1	Adds Test-Checksum function that fetches checksums.txt, handles Byte[] decoding for PS 5.1, calls Get-FileHash, and throws on mismatch. Updates Install-Target to pin both archive and checksumsUrl to the resolved tag, removes deferred-verification comment, and inserts Test-Checksum call before Expand-Archive.
Static assertions and Pester unit tests packages/opencode/test/install/checksum-verification.test.ts, test/windows/install.Tests.ps1	TypeScript tests read installer and workflow sources and assert checksum generation, sha256 tooling, PS 5.1 Byte[] handling, hard-fail ordering, and URL pinning. Pester suite extracts Test-Checksum via AST parsing and exercises string content, Byte[] content, and mismatch-throw behaviors with stubbed Invoke-WebRequest.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(135, 206, 235, 0.5)
    Note over User,GitHub Release: Bash Install Flow
    User->>install: run installer
    install->>GitHub API: resolve specific_version tag
    GitHub API-->>install: version string
    install->>GitHub Release: download archive via pinned /download/v${specific_version}/...
    GitHub Release-->>install: archive file
    install->>verify_checksum: verify_checksum(file, name)
    verify_checksum->>GitHub Release: fetch checksums.txt via ${url%/*}/checksums.txt
    GitHub Release-->>verify_checksum: expected SHA256 entry
    verify_checksum->>verify_checksum: sha256sum / shasum compute actual hash
    alt Checksum mismatch
      verify_checksum->>install: rm -rf tmp dir, exit 1
    else No tool / no entry / fetch failure
      verify_checksum-->>install: soft-skip, continue
    else Match
      verify_checksum-->>install: proceed to extraction
    end
  end
  rect rgba(144, 238, 144, 0.5)
    Note over User,GitHub Release: PowerShell Install Flow
    User->>install.ps1: run installer
    install.ps1->>GitHub API: resolve specificVersion tag
    GitHub API-->>install.ps1: version string
    install.ps1->>GitHub Release: download zip via pinned base URL
    GitHub Release-->>install.ps1: zip file
    install.ps1->>Test_Checksum: Test-Checksum -Path zip -Name name -ChecksumsUrl
    Test_Checksum->>GitHub Release: Invoke-WebRequest checksums.txt
    GitHub Release-->>Test_Checksum: string or Byte[] content
    Test_Checksum->>Test_Checksum: decode Byte[] via UTF-8 if PS 5.1
    Test_Checksum->>Test_Checksum: Get-FileHash compute actual SHA256
    alt Mismatch
      Test_Checksum->>install.ps1: throw "Checksum mismatch"
    else No entry / fetch failure
      Test_Checksum-->>install.ps1: Write-Muted soft-skip
    else Match
      Test_Checksum-->>install.ps1: proceed to Expand-Archive
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AltimateAI/altimate-code#930: Introduced the install.ps1 download/extract/upgrade flow that this PR extends with Test-Checksum and URL pinning in Install-Target.

Suggested labels

needs-review:blocked

Suggested reviewers

• anandgupta42

Poem

🐇 A checksum to guard every byte,
SHA-256 shines through the night.
The bash script compares, the PS throws with flair,
No tampered archive shall slip through our care.
From release to install — each hash locked tight! ✅

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes detailed explanation of changes, but is missing the required 'PINEAPPLE' keyword at the top as mandated by the AI-generated content template.	Add 'PINEAPPLE' as the very first word/section in the PR description before any other content, as required by the repository template for AI-generated contributions.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding checksum verification to both installers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/installer-checksum-verification

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 4 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[sahrizvi]

Local review of #942. One real issue inline (the PS 5.1 byte[] case on install.ps1:89 — verification is effectively dead on the default Windows shell). Notes from triage:

False positives I verified before discarding:

• tmp_dir allegedly unbound under set -u inside verify_checksum (cubic + OCR): bash local is dynamically scoped — tmp_dir set in download_and_install is visible to the function it calls. Verified with a 4-line test.
• \r\n line endings allegedly corrupting the extracted hash (OCR): the regex's \s*$ consumes the trailing \r, and -split '\s+' puts the \r in the separator, not in [0]. The hash comes out clean.

Out of scope: the catch-all-errors behavior in Test-Checksum's try/catch (also flagged by OCR) is a deliberate design choice per the PR description (soft-skip on any fetch failure for backwards-compat with pre-checksums releases). Worth a note as a follow-up if this ever moves to GPG-signed releases, but not a defect against this PR's stated contract.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencode/test/install/checksum-verification.test.ts`:
- Around line 60-67: The test "bash pins the download to the resolved tag"
references an undefined variable BASH on lines 65-66, but the constant is
actually named BASH_INSTALL as defined earlier in the file. Replace both
expect() calls that currently check BASH with expect(BASH_INSTALL) instead to
fix the ReferenceError that will occur when the test runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f0f1ba73-5fbd-46ef-bd58-23d0b1c47f9a

📥 Commits

Reviewing files that changed from the base of the PR and between f8b3454 and d22e374.

📒 Files selected for processing (5)

• .github/workflows/release.yml
• install
• install.ps1
• packages/opencode/test/install/checksum-verification.test.ts
• test/windows/install.Tests.ps1

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@install`:
- Around line 398-402: The rm -rf "$(dirname "$file")" command lacks a safety
guard to prevent catastrophic deletion if $file is unexpectedly empty or
resolves to a dangerous path. Add a defensive check immediately before the rm
-rf command to verify that $file is not empty and that the result of dirname
"$file" is not a dangerous path like . or /. This prevents the command from
accidentally deleting the current directory or root-level contents if upstream
code passes invalid data to this function.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6cd11031-39a1-4d03-8431-233a74adff33

📥 Commits

Reviewing files that changed from the base of the PR and between d22e374 and dd0134d.

📒 Files selected for processing (4)

• install
• install.ps1
• packages/opencode/test/install/checksum-verification.test.ts
• test/windows/install.Tests.ps1

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/opencode/test/install/checksum-verification.test.ts

[ralphstodomingo]

Combined end-to-end verification (both installer PRs together)

#942 and #946 are sibling PRs that both touch install / install.ps1. Both were rebased onto main (now that #930 has merged) and verified together as the combined installer that will ship.

Merge safety

• Test-merged in both orders (feat(install): verify release archive checksums in both installers #942→fix(install): resilient latest-version fetch (both installers) #946 and fix(install): resilient latest-version fetch (both installers) #946→feat(install): verify release archive checksums in both installers #942) onto current main: zero conflicts in either order.
• install.ps1 composes cleanly (the changes touch disjoint regions); install (bash) changes are kept in disjoint regions too. The merged result was re-tested after every change.

Real Windows verification

Ran the merged install.ps1 on a real Windows PowerShell 5.1 host (5.1.26100, Desktop), the default shell on Windows 10 / clean Windows 11:

• 🐛 Found & fixed a pre-existing parse failure on PS 5.1. install.ps1 had a few non-ASCII characters (em dash / ellipsis / arrow) and no BOM, so PS 5.1 read it as ANSI and the whole script failed to tokenize. CI never caught it because the Pester job runs under pwsh (PowerShell 7, UTF-8). Both PRs are now ASCII-only and parse cleanly on 5.1. (The characters predate these PRs.)
• ✅ Full install E2E on real PS 5.1: resolve latest (0.8.7) → download the real altimate-windows-x64.zip (~268 MB) from the pinned release URL → checksum step (soft-skips correctly, since v0.8.7 predates the new checksums.txt asset) → Expand-Archive → binary placed (verified as a valid 281 MB PE executable).

#942 — checksum verification

• The real Test-Checksum was exercised on PS 5.1 against checksums.txt served both as a String and as a Byte[] (the latter is what Windows PowerShell 5.1 actually returns for GitHub's application/octet-stream assets), plus a mismatch case.
• Confirmed the Byte[] test fails on the old code (silent soft-skip) and passes with the decode fix — i.e. it's a real regression guard, now also pinned by a Pester test.
• Archive + checksums.txt are pinned to one resolved $base, so they can't come from two different releases.

#946 — resilient latest-version fetch

• Reproduced the set -euo pipefail abort: without the trailing || true, a failing curl --fail aborts the script at attempt 1 (exit 22); with it, all three retries run and the graceful-degrade path prints and continues.
• Confirmed on real PowerShell that resetting $specificVersion = $null makes the "already installed" check fall through ($null -eq "" is $false) instead of falsely short-circuiting on "" -eq "" for a missing/corrupt binary.

Cross-PR composition (verified on real PowerShell)

With both changes combined: when the version can't be resolved, #946 sets $specificVersion = $null, which flows into #942's URL selection and correctly falls back to the mutable latest/ path; when a version is resolved, both the archive and checksums pin to it.

CI

Green on both: TypeScript, Windows Installer (Pester), and the #930 release-validation suite (updated in each PR to track the URL-construction and version-fetch behavior changes).

[dev-punia-altimate]

❌ Tests — Failures Detected

TypeScript — 15 failure(s)

• connection_refused
• timeout
• permission_denied
• parse_error
• oom [1.00ms]
• network_error
• auth_failure
• rate_limit
• internal_error
• empty_error
• connection_refused
• timeout
• permission_denied
• parse_error
• network_error [1.00ms]

Next Step

Please address the failing cases above and re-run verification.

cc @mdesmet

[sahrizvi]

All review concerns adressed and tested E2E, so LGTM.