Skip to content

security: fail by default when no checksum found, add --allow-missing-checksum flag#5

Merged
sgargel merged 2 commits into
mainfrom
feat/no-verify-flag
Jun 16, 2026
Merged

security: fail by default when no checksum found, add --allow-missing-checksum flag#5
sgargel merged 2 commits into
mainfrom
feat/no-verify-flag

Conversation

@sgargel

@sgargel sgargel commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Summary

  • Installing a release with no checksum file now aborts with an error instead of silently proceeding
  • New --allow-missing-checksum / -k flag lets the user explicitly opt in to installing without a checksum
  • usage() and README flags table updated accordingly
  • stackrox/kube-linter added as a concrete example (uses sigstore, no checksums.txt)

Motivation

The previous warning-only path was a silent security downgrade: a compromised CDN or a MITM attack would land exactly here, and gri would
install the tampered binary without complaint. The user had no way to express intent either way.

Making it a hard error forces an explicit decision. The flag name --allow-missing-checksum was chosen over --no-verify because the behaviour
is scoped: it only tolerates an absent checksum file — if a checksum is found, it is always verified regardless of the flag.

Behaviour change

Before
warning: no checksum file found in release assets, skipping verification
installed to /opt/kube-linter/v0.8.3

After (no flag)
error: no checksum file found in release assets
→ use --allow-missing-checksum to install without verification

After (--allow-missing-checksum)
warning: --allow-missing-checksum set, proceeding without verification
installed to /opt/kube-linter/v0.8.3

Test plan

  • gri install stackrox/kube-linter → exits with error
  • gri --allow-missing-checksum install stackrox/kube-linter → installs with visible warning
  • gri -k install stackrox/kube-linter → short flag works
  • gri install yannh/kubeconform → checksum verification still runs normally (unaffected)

sgargel and others added 2 commits June 16, 2026 17:22
Previously gri would print a warning and continue installing when a
release published no checksum file. This is a silent security downgrade
that the user never explicitly consented to.

New behaviour: abort with an error if no checksum asset is found.
The new --no-verify / -k flag opts out explicitly, making the intent
visible and intentional rather than silent.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@sgargel sgargel merged commit a906484 into main Jun 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant