Skip to content

Surface skipped checksum verification in the project installer template #1207

Description

@codeforester

Problem

Validated from Claude third-pass finding [94], with context from the recent installer-template fix.

templates/project-install.sh now verifies the downloaded Base installer when BASE_INSTALL_SHA256 is set, and mismatch tests prove execution stops before running the installer. However the maintained template still defaults to:

BASE_INSTALL_URL="${BASE_INSTALL_URL:-https://raw.githubusercontent.com/basefoundry/base/HEAD/install.sh}"
BASE_INSTALL_SHA256="${BASE_INSTALL_SHA256:-}"

verify_base_installer() returns success silently when BASE_INSTALL_SHA256 is empty. Because the default URL points to mutable HEAD/install.sh, teams copying the template can run an unverified downloaded installer without any runtime indication that verification was skipped.

Desired outcome

Make the project installer template visible and intentional when checksum verification is skipped, or fail closed unless projects deliberately opt into the mutable default.

Scope

  • Decide whether empty BASE_INSTALL_SHA256 should warn, require an explicit opt-out, or fail when BASE_INSTALL_URL is remote/mutable.
  • Preserve a reasonable path for local/project-owned installers if needed.
  • Update docs/project-installers.md and BATS coverage.
  • Keep mismatch verification behavior from PR Verify project installer template downloads #1190 intact.

Acceptance criteria

  • Running the maintained project installer template with no checksum is no longer a silent verification bypass.
  • Tests cover the empty-checksum behavior, matching checksum behavior, and mismatched checksum behavior.
  • Documentation explains the intended project-owned choice clearly.

Classification

Review finding taxonomy: security policy hardening.

Metadata

Metadata

Assignees

Labels

securitySecurity hardening or vulnerability work

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions