Add checksum verification for bun installer script

fpv-dev · fpv-dev · commit 4763f4a648e7 · 2025-07-03T15:50:01.000+05:00
Fix #27 Signed-off-by: fpv.dev <kich@octra.org>
diff --git a/wallet-generator.ps1 b/wallet-generator.ps1
@@ -8,6 +8,7 @@ $RepoOwner = "octra-labs"
 $RepoName = "wallet-gen"
 $InstallDir = "${Home}\.octra"
 $TempDir = "${env:TEMP}\octra-wallet-gen-install"
+$BunInstallChecksum = "73207f5bab5c4721a3955842867175808b8b09fe9e53aae071ea57a23f5ac61c"
 
 Write-Host "=== ⚠️  SECURITY WARNING ⚠️  ==="
 Write-Host ""
@@ -24,10 +25,21 @@ Write-Host ""
 
 function Install-Bun {
     if (-not (Get-Command bun -ErrorAction SilentlyContinue)) {
-        $installScript = Invoke-RestMethod -Uri 'https://bun.sh/install.ps1'
-        Invoke-Expression $installScript
-        # Add bun to PATH for the current session
-        $env:PATH = "${Home}\.bun\bin;$($env:PATH)"
+        $tempScriptPath = Join-Path $env:TEMP "bun-install.ps1"
+        try {
+            Invoke-WebRequest -Uri 'https://bun.sh/install.ps1' -OutFile $tempScriptPath -UseBasicParsing
+            
+            if ((Get-FileHash -Path $tempScriptPath).Hash.ToLower() -ne $BunInstallChecksum) {
+                Write-Host "Failed to install bun! Please install it manually from https://bun.sh"
+                Remove-Item -Path $tempScriptPath -Force
+                exit 1
+            }
+            
+            & $tempScriptPath
+            $env:PATH = "${Home}\.bun\bin;$($env:PATH)"
+        } finally {
+            Remove-Item -Path $tempScriptPath -Force
+        }
     }
 }
 
diff --git a/wallet-generator.sh b/wallet-generator.sh
@@ -6,6 +6,7 @@ REPO_OWNER="octra-labs"
 REPO_NAME="wallet-gen"
 INSTALL_DIR="$HOME/.octra"
 TEMP_DIR="/tmp/octra-wallet-gen-install"
+BUN_INSTALL_CHECKSUM="144adba33c737330a081689ea5dd54c693c25d2bdb87b1f2d6aaed3c93de737e"
 
 echo "=== ⚠️  SECURITY WARNING ⚠️  ==="
 echo ""
@@ -22,7 +23,14 @@ echo ""
 
 install_bun() {
     if ! command -v bun &> /dev/null; then
-        curl -fsSL https://bun.sh/install | bash
+        curl -fsSL https://bun.sh/install -o /tmp/bun_install.sh
+        if ! echo "$BUN_INSTALL_CHECKSUM  /tmp/bun_install.sh" | shasum -a 256 -c -q; then
+            echo "Failed to install bun! Please install it manually from https://bun.sh"
+            rm -f /tmp/bun_install.sh
+            exit 1
+        fi
+        bash /tmp/bun_install.sh
+        rm -f /tmp/bun_install.sh
         # Set PATH to include Bun's binary directory
         export PATH="$HOME/.bun/bin:$PATH"
     fi
