fix: verify SHA256 checksum in npm postinstall script (#650)

Co-authored-by: jpoehnelt-bot <jpoehnelt-bot@users.noreply.github.com>

Author: jpoehnelt

.changeset/npm-sha256-verify.md

@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Verify SHA256 checksum of downloaded binary in npm postinstall script

npm/install.js

@@ -2,6 +2,7 @@
 
 "use strict";
 
+const crypto = require("crypto");
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
@@ -130,6 +131,23 @@ async function install() {
     console.error(`Downloading gws from ${url}`);
     await download(url, tmpFile);
 
+    // Verify SHA256 checksum
+    const sha256Url = `${url}.sha256`;
+    const sha256File = `${tmpFile}.sha256`;
+    console.error(`Verifying checksum from ${sha256Url}`);
+    await download(sha256Url, sha256File);
+
+    const expectedHash = fs.readFileSync(sha256File, "utf8").trim().split(/\s+/)[0].toLowerCase();
+    const fileBuffer = fs.readFileSync(tmpFile);
+    const actualHash = crypto.createHash("sha256").update(fileBuffer).digest("hex").toLowerCase();
+
+    if (actualHash !== expectedHash) {
+      throw new Error(
+        `SHA256 checksum mismatch!\n  Expected: ${expectedHash}\n  Actual:   ${actualHash}\nThe downloaded binary may have been tampered with.`,
+      );
+    }
+    console.error("Checksum verified ✓");
+
     console.error(`Extracting to ${INSTALL_DIR}`);
     extract(tmpFile, INSTALL_DIR);