fix: verify SHA256 checksum when downloading libcurl source tarball (semgrep/semgrep-proprietary#6032)
fix: verify SHA256 checksum when downloading libcurl source tarball
The Alpine CI build downloads and compiles libcurl from source without
any integrity verification, leaving it vulnerable to MITM or host
compromise. This patch adds a SHA256 check against the known hash before
extracting and building.
Test plan:
- [x] Test hash correctness locally
- `curl -sL https://curl.se/download/curl-8.5.0.tar.gz | shasum -a 256` outputs the expected hash.
- [x] Happy path: `docker run --rm -v "$PWD/OSS/scripts:/scripts" alpine:3.23 sh -c 'apk add curl bash build-base && bash /scripts/build-static-libcurl.sh'`:
- Checksum verified, curl built and installed, exit code 0
- [x] SHA mismatch path: ``` docker run --rm -v "$PWD/OSS/scripts:/scripts" alpine:3.23 sh -c 'apk add curl bash build-base && sed "s/05fc17ff/deadbeef/" /scripts/build-static-libcurl.sh | bash'```
- Output: `sha256sum: WARNING: 1 of 1 computed checksums did NOT match`; exit code 1
synced from Pro 436790e727031fe569d941e65cf585aa63210f78 N
Nathan Taylor committed
571ee9670259ce74eca1ed6b8b81ebfa025f2e1e
Parent: c3b43f7
Committed by Nathan Taylor <nbtaylor@gmail.com>
on 4/16/2026, 3:46:20 PM