You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SC-004: SHA256SUMS is not signed. An attacker who can replace the checksum file can direct installs to arbitrary binaries while the signature check passes.
SC-006 (install.sh): PODUP_VERSION is used in URL construction without format validation. A malformed value could redirect the download.
SC-007 (release.yml): The workflow_dispatchtag input is not validated for format before use. A typo or malformed tag would produce a broken release.
Fix
Sign SHA256SUMS with the Ed25519 key; upload SHA256SUMS.sig; verify in install.sh.
Add regex guard in install.sh: PODUP_VERSION must match ^v[0-9]+\.[0-9]+\.[0-9]+$ or be latest.
Add a validation step in the verify job that checks inputs.tag matches v[0-9]+.[0-9]+.[0-9]+.
Problem
Three supply chain gaps:
SHA256SUMSis not signed. An attacker who can replace the checksum file can direct installs to arbitrary binaries while the signature check passes.install.sh):PODUP_VERSIONis used in URL construction without format validation. A malformed value could redirect the download.release.yml): Theworkflow_dispatchtaginput is not validated for format before use. A typo or malformed tag would produce a broken release.Fix
SHA256SUMSwith the Ed25519 key; uploadSHA256SUMS.sig; verify ininstall.sh.install.sh:PODUP_VERSIONmust match^v[0-9]+\.[0-9]+\.[0-9]+$or belatest.verifyjob that checksinputs.tagmatchesv[0-9]+.[0-9]+.[0-9]+.