Skip to content

fix: replace curl|bash installs with pinned, verified tools#51

Merged
dasirra merged 3 commits into
developfrom
build/45-sec-replace-curl-bash-installs
Mar 26, 2026
Merged

fix: replace curl|bash installs with pinned, verified tools#51
dasirra merged 3 commits into
developfrom
build/45-sec-replace-curl-bash-installs

Conversation

@dasirra

@dasirra dasirra commented Mar 25, 2026

Copy link
Copy Markdown
Owner

Summary

Eliminates four unverified runtime/build-time downloads that were vulnerable to supply-chain attacks. All tools are now pinned to specific versions with SHA256 checksums verified before extraction.

Source

Closes #45 — security audit 2026-03-25

What Changed

Dockerfile

  • xurl: pinned to v1.0.3 with SHA256 verification for both amd64 and arm64; replaces dynamic releases/latest fetch + pipe-to-tar
  • Claude CLI: pre-installed at build time via npm install -g @anthropic-ai/claude-code@2.1.83; eliminates curl|bash at container startup
  • @googleworkspace/cli: pinned to v0.22.1 (was unpinned latest)

init.d/01-tools.sh

  • Claude CLI block: no longer downloads at runtime; logs a warning if the binary is unexpectedly missing
  • GWS skills: pinned to commit a52d297 instead of floating https://github.com/googleworkspace/cli

installer/gum.sh

  • Binary download path: pinned to v0.17.0; added SHA256 verification (supports sha256sum and shasum) before extraction; removed dynamic GitHub API version query; handles Linux (x86_64/arm64) and macOS (x86_64/arm64)

Tasks

Task Status Notes
Pin xurl in Dockerfile with SHA256 DONE v1.0.3, amd64 + arm64
Pre-install Claude CLI in Dockerfile DONE v2.1.83 via npm
Pin GWS skills to commit hash DONE a52d297
Add SHA256 verification to gum binary download DONE v0.17.0, 4 platforms

Code Review

Clean review — changes are additive security hardening with no logic changes to existing behavior.

Built autonomously by /build

dasirra and others added 3 commits March 25, 2026 22:08
@dasirra @claude
fix: replace unverified runtime downloads with pinned, verified installs
a2ac1be 
- Dockerfile: pin xurl to v1.0.3 with SHA256 verification for amd64/arm64
- Dockerfile: pre-install Claude CLI v2.1.83 via npm at build time (eliminates curl|bash at runtime)
- Dockerfile: pin @googleworkspace/cli to v0.22.1
- init.d/01-tools.sh: remove curl|bash Claude CLI install (no-op since pre-baked); pin GWS skills to commit a52d297
- installer/gum.sh: pin gum to v0.17.0 with SHA256 verification for Linux and macOS (x86_64/arm64)

Resolves #45 — security audit 2026-03-25

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merge branch 'develop' into build/45-sec-replace-curl-bash-installs
4253656
@claude
fix: merge npm layers, simplify boot check, align SHA256 verification
86ef777 
- Merge two npm install -g layers into one (faster builds, better cache)
- Simplify Claude CLI boot check to one-liner (no more --version spawning Node)
- Move GWS_COMMIT to top of 01-tools.sh with cross-reference comment
- Align gum.sh SHA256 verification to use sha256sum -c - pattern
- Remove narrating comments, add meaningful why-comment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dasirra dasirra marked this pull request as ready for review March 26, 2026 10:37
@dasirra dasirra merged commit a1c53ae into develop Mar 26, 2026
1 check passed
@dasirra dasirra deleted the build/45-sec-replace-curl-bash-installs branch March 26, 2026 10:37
@dasirra dasirra mentioned this pull request Mar 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dasirra