Skip to content

fix(upgrade): authenticate Swift release downloads#18

Merged
bob-codedaptive merged 1 commit into
develop/1.0.xfrom
codex/propose-fix-for-swift-upgrade-vulnerability
Jul 14, 2026
Merged

fix(upgrade): authenticate Swift release downloads#18
bob-codedaptive merged 1 commit into
develop/1.0.xfrom
codex/propose-fix-for-swift-upgrade-vulnerability

Conversation

@bob-codedaptive

Copy link
Copy Markdown
Member

Motivation

  • The Swift upgrade path downloaded a tarball and an unauthenticated checksums.txt, then trusted that file to verify the asset, which allowed an attacker who could tamper with release assets to publish a malicious tarball plus matching checksum and have it installed.
  • The shell installer and Rust vertical both provide an independent trust root (minisign on Linux/POSIX and Gatekeeper on macOS) that the Swift path lacked, so the change restores equivalent protections.

Description

  • Require detached minisign verification on non-macOS in the Swift downloader by fetching checksums.txt.minisig and validating checksums.txt with the embedded minisign public key before archive validation or extraction; implemented in ReleaseDownloader.download and verifyMinisignSignature in apps/mootx01/Sources/MootInstallerCore/ReleaseDownloader.swift.
  • Add a fail-closed error case signatureVerificationFailed to UpgradeError and wire it where minisign checks can fail.
  • Preserve the macOS trust split by setting com.apple.quarantine on remotely installed binaries in the upgrade flow so Gatekeeper assesses Developer ID/notarization on first run; implemented in applyGatekeeperQuarantine and invoked for remote downloads in apps/mootx01/Sources/mootx01/Commands/UpgradeCommand.swift.
  • Add a regression unit test downloadRequiresMinisignSignatureWhenChecksumMatches in apps/mootx01/Tests/MootInstallerCoreTests/ReleaseDownloaderTests.swift that ensures a tarball with a matching SHA-256 is rejected if the detached minisign signature is absent, and adjust test setup to compute shasum with the system shasum helper to avoid depending on test-side CryptoKit.

Testing

  • Ran git diff --check which reported no whitespace problems and committed the changes successfully.
  • Attempted swift test --package-path apps/mootx01 --filter ReleaseDownloaderTests but it was blocked by the environment (SwiftPM failed to fetch external package dependencies with CONNECT tunnel failed, response 403), so the test suite could not be executed here.
  • Attempted swiftc -typecheck apps/mootx01/Sources/MootInstallerCore/*.swift but it failed in this environment due to the runtime/toolchain not exposing the CryptoKit module, so an in-repo typecheck could not be completed here.

Codex Task

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

All contributors have signed the CLA. Thank you.
Posted by the CLA Assistant Lite bot.

@bob-codedaptive

Copy link
Copy Markdown
Member Author

I have read the CLA Document and I hereby sign the CLA

github-actions Bot added a commit that referenced this pull request Jul 13, 2026
@bob-codedaptive bob-codedaptive merged commit e32ad64 into develop/1.0.x Jul 14, 2026
1 of 2 checks passed
@bob-codedaptive bob-codedaptive deleted the codex/propose-fix-for-swift-upgrade-vulnerability branch July 14, 2026 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant