fix(installer): prefer sha256sum over shasum for checksum verification (#3170)

[olliewalsh]

Summary

The install-openshell.sh script hardcoded shasum, which is less common on Linux. Use sha256sum when available, fall back to shasum, and fail with a clear error if neither is found — matching the existing pattern in check-installer-hash.sh.

Related Issue

Fixes #3170

Changes

• Update scripts/install-openshell.sh to prefer sha256sum, fallback to shasum, fail otherwise

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Oliver Walsh owalsh@redhat.com

Summary by CodeRabbit

• Bug Fixes

  • Installer checksum verification now auto-selects an available checksum utility at runtime and aborts if none are found, improving reliability across environments.

• Tests

  • Updated installation tests to validate the new checksum selection behavior and adjusted expected verification logging.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 13fdbce4-6347-41f2-ae0b-042323330f32

📥 Commits

Reviewing files that changed from the base of the PR and between 0e19a1e and 3251768.

📒 Files selected for processing (3)

• scripts/install-openshell.sh
• test/install-openshell-version-check.test.ts
• test/runner.test.ts

---

📝 Walkthrough

Walkthrough

The installer script now selects an available SHA-256 verifier at runtime (prefer sha256sum, fallback shasum -a 256, fail if neither) and invokes it via $SHA_CMD. Tests were updated to mock and assert the sha256sum-based behavior.

Changes

Dynamic Checksum Tool Selection

Layer / File(s)	Summary
SHA command selection scripts/install-openshell.sh	Introduce $SHA_CMD selected by testing for sha256sum then shasum -a 256, exit if absent.
Checksum verification integration scripts/install-openshell.sh	Invoke checksum verification via $SHA_CMD instead of hardcoded shasum -a 256.
Test stubs and assertions test/runner.test.ts, test/install-openshell-version-check.test.ts	Bash stubs renamed to export sha256sum (previously shasum), a checksum log path is added for capture, and test assertions updated to expect SHA256SUM -c -; macOS test stubs updated to write sha256sum binaries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• jyaunches

Poem

🐰 I hopped the PATH to sniff the prize,
Found sha256sum beneath the skies,
If not, shasum -a 256 I try,
Checks now sing and downloads fly,
A carrot for clean hashes, oh my!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: updating the installer script to prefer sha256sum over shasum for checksum verification.
Linked Issues check	✅ Passed	The changes directly address issue #3170 by implementing the requested behavior: preferring sha256sum, falling back to shasum, and failing with a clear error if neither tool is available.
Out of Scope Changes check	✅ Passed	All changes are in-scope and directly related to the checksum verification enhancement in the installer script and its corresponding tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/runner.test.ts (1)

644-730: ⚡ Quick win

Add explicit tests for the two newly introduced fallback branches.

Current updates validate the preferred sha256sum path, but the new shasum fallback and “neither tool available” failure branch should also be asserted to prevent regressions.

Suggested test additions

+    it("install-openshell.sh falls back to shasum when sha256sum is unavailable", () => {
+      // stub command -v sha256sum => fail, command -v shasum => success
+      // stub shasum() to log args and return success
+      // assert checksum log contains: "SHASUM -a 256 -c -"
+    });
+
+    it("install-openshell.sh fails clearly when no SHA-256 tool is available", () => {
+      // stub command -v sha256sum => fail and command -v shasum => fail
+      // run script and assert non-zero status
+      // assert output contains: "No SHA-256 tool available (sha256sum/shasum)"
+    });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runner.test.ts` around lines 644 - 730, Tests only cover the primary
sha256sum path; add two new specs in test/runner.test.ts that exercise the
shasum fallback and the "neither tool available" failure: (1) create a tmpBin
stub where sha256sum is absent but shasum (or shasum -a 256) is present (write a
small shim that logs invocations to checksumLog), source install-openshell.sh
and assert output contains the shasum-fallback marker and that checksumLog
contains the expected "-c -" invocation; (2) create a tmpBin with no
sha256sum/shasum and with gh absent/failing, run the script and assert it exits
non-zero (or prints the expected failure message such as "gh CLI download
failed"), cleaning up tmpBin afterwards; use the existing scriptPath and
checksumLog variables and mirror the style of the existing tests for spawnSync
invocation and assertions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/runner.test.ts`:
- Around line 644-730: Tests only cover the primary sha256sum path; add two new
specs in test/runner.test.ts that exercise the shasum fallback and the "neither
tool available" failure: (1) create a tmpBin stub where sha256sum is absent but
shasum (or shasum -a 256) is present (write a small shim that logs invocations
to checksumLog), source install-openshell.sh and assert output contains the
shasum-fallback marker and that checksumLog contains the expected "-c -"
invocation; (2) create a tmpBin with no sha256sum/shasum and with gh
absent/failing, run the script and assert it exits non-zero (or prints the
expected failure message such as "gh CLI download failed"), cleaning up tmpBin
afterwards; use the existing scriptPath and checksumLog variables and mirror the
style of the existing tests for spawnSync invocation and assertions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c987855a-0422-46f5-bc81-0aca8de606f8

📥 Commits

Reviewing files that changed from the base of the PR and between 2c3a392 and 0c3bdb1.

📒 Files selected for processing (2)

• scripts/install-openshell.sh
• test/runner.test.ts

[wscurran]

✨ Thanks for submitting this PR that fixes the installer to prefer sha256sum over shasum for checksum verification. This change involves updating the install-openshell.sh script to use sha256sum when available, fall back to shasum, and fail with a clear error if neither is found.

---

Related open issues:

• #3170 install-openshell.sh requires obscure shasum vs sha256sum

[jyaunches]

/ok to test 8b3df61