Summary
Supply-chain hardening follow-up (flagged in the #3634 review). Every scripts/setup/* script downloads a build dependency over HTTPS and builds/bundles it into release artifacts without verifying the download's integrity — no SHA256 pin, no signature check. A compromised upstream/CDN, a hijacked release asset, or a TLS-MITM could substitute a malicious artifact that lands in shipped binaries, and nothing would catch it.
This is consistent across the board (not a regression from any one PR), so it's worth fixing as one sweep.
Affected scripts / downloads
| Script |
Download (unverified) |
setup-qtkeychain.ps1 |
qtkeychain …/archive/refs/tags/0.16.0.tar.gz (added in #3634) |
setup-fftw.ps1 |
https://fftw.org/pub/fftw/fftw-3.3.5-dll64.zip |
setup-hidapi.ps1 |
hidapi GitHub tag tarball |
setup-onnxruntime.ps1 |
onnxruntime GitHub release zip |
setup-opus.ps1 |
opus GitHub/xiph release tarball (two mirrors) |
setup-deepfilter.{ps1,sh} |
libdeepfilter release tarball + DeepFilterNet3 model |
(Confirmed: grep -rinE "sha256|Get-FileHash|checksum" scripts/setup/ → zero hits today.)
Proposed fix
For each download, pin the expected SHA256 next to the URL/version and verify after download, before extract/build, failing hard on mismatch:
- PowerShell:
(Get-FileHash $file -Algorithm SHA256).Hash -eq $Expected → else Write-Error; exit 1.
- Bash:
echo "$EXPECTED $file" | sha256sum -c - (or shasum -a 256 on macOS).
Notes:
- The version string is already part of each cache key, so a version bump naturally requires bumping the pinned hash too — keep them adjacent so they move together.
- For the two-mirror case (
setup-opus.ps1), the same hash verifies whichever mirror served the file.
- Optional stretch: a tiny shared helper (
Verify-Sha256) so the six scripts don't each hand-roll it.
Acceptance
- Every external download in
scripts/setup/ verifies a pinned SHA256 and aborts on mismatch.
- A deliberately-wrong hash fails the setup step (quick local check).
Refs #3634, #3600.
Summary
Supply-chain hardening follow-up (flagged in the #3634 review). Every
scripts/setup/*script downloads a build dependency over HTTPS and builds/bundles it into release artifacts without verifying the download's integrity — no SHA256 pin, no signature check. A compromised upstream/CDN, a hijacked release asset, or a TLS-MITM could substitute a malicious artifact that lands in shipped binaries, and nothing would catch it.This is consistent across the board (not a regression from any one PR), so it's worth fixing as one sweep.
Affected scripts / downloads
setup-qtkeychain.ps1…/archive/refs/tags/0.16.0.tar.gz(added in #3634)setup-fftw.ps1https://fftw.org/pub/fftw/fftw-3.3.5-dll64.zipsetup-hidapi.ps1setup-onnxruntime.ps1setup-opus.ps1setup-deepfilter.{ps1,sh}(Confirmed:
grep -rinE "sha256|Get-FileHash|checksum" scripts/setup/→ zero hits today.)Proposed fix
For each download, pin the expected SHA256 next to the URL/version and verify after download, before extract/build, failing hard on mismatch:
(Get-FileHash $file -Algorithm SHA256).Hash -eq $Expected→ elseWrite-Error; exit 1.echo "$EXPECTED $file" | sha256sum -c -(orshasum -a 256on macOS).Notes:
setup-opus.ps1), the same hash verifies whichever mirror served the file.Verify-Sha256) so the six scripts don't each hand-roll it.Acceptance
scripts/setup/verifies a pinned SHA256 and aborts on mismatch.Refs #3634, #3600.