Summary
Add content integrity verification by storing SHA-256 checksums of downloaded package content in apm.lock.yaml. Verify checksums on subsequent installs to detect tampering or MITM modifications.
Background
Identified during the security assessment for #313 (content security scanner). APM currently stores resolved_commit (git SHA) in the lockfile but does not verify that the downloaded file content matches any expected hash. A network-level attacker, compromised proxy, or force-pushed commit could serve different content for the same SHA.
For comparison, npm stores integrity hashes (SHA-512) in package-lock.json and verifies every download against them.
Proposed behavior
- During
apm install, after downloading a package, compute SHA-256 of the package's file tree (deterministic hash of all file contents)
- Store the hash in
apm.lock.yaml alongside resolved_commit:
dependencies:
- repo_url: "https://github.com/owner/repo"
resolved_commit: "abc123..."
content_hash: "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
- On subsequent installs from cache, verify the hash matches. On mismatch, warn and re-download.
Considerations
- Hash should be computed over file contents (not metadata like timestamps) for reproducibility
- Performance: SHA-256 is fast — even large packages (10MB) hash in ~10ms
- Backward compatibility: missing
content_hash (older lockfiles) should not block install
Priority
P0 — highest impact security improvement available per the security panel assessment.
Related
Summary
Add content integrity verification by storing SHA-256 checksums of downloaded package content in
apm.lock.yaml. Verify checksums on subsequent installs to detect tampering or MITM modifications.Background
Identified during the security assessment for #313 (content security scanner). APM currently stores
resolved_commit(git SHA) in the lockfile but does not verify that the downloaded file content matches any expected hash. A network-level attacker, compromised proxy, or force-pushed commit could serve different content for the same SHA.For comparison, npm stores
integrityhashes (SHA-512) inpackage-lock.jsonand verifies every download against them.Proposed behavior
apm install, after downloading a package, compute SHA-256 of the package's file tree (deterministic hash of all file contents)apm.lock.yamlalongsideresolved_commit:Considerations
content_hash(older lockfiles) should not block installPriority
P0 — highest impact security improvement available per the security panel assessment.
Related
apm auditcommand #313 — Content security scanner (PR)