1 files changed, 40 insertions, 10 deletions

diff --git a/user_install_script.sh b/user_install_script.sh
index 247f0e2..cb76b57 100644
--- a/user_install_script.sh
+++ b/user_install_script.sh
@@ -34,17 +34,47 @@ if [ "$SKIP_DECKY_INSTALL" != true ]; then
   bash "${tmp_script}"
 fi
 
-# Download and run Decky Loader client (mirror-hosted).
+# Download and verify Decky Loader client (mirror-hosted).
 decky_client="/tmp/decky_client.py"
-if curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then
-  # Install the plugin
-  python3 "${decky_client}" install \
-    --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \
-    --target-id "${DECKY_PLUGIN_TARGET_ID}"
-  
-  # Configure the custom store URL for future use
-  python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins"
-else
+decky_client_checksum="/tmp/decky_client.py.sha256"
+
+# Download the client script
+if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then
   echo "Failed to download Decky Loader client script." >&2
   exit 1
 fi
+
+# Download the checksum file
+if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py.sha256" -o "${decky_client_checksum}"; then
+  echo "Failed to download checksum file for Decky Loader client." >&2
+  exit 1
+fi
+
+# Verify the checksum
+if command -v sha256sum >/dev/null 2>&1; then
+  if ! (cd /tmp && sha256sum -c decky_client.py.sha256); then
+    echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2
+    rm -f "${decky_client}" "${decky_client_checksum}"
+    exit 1
+  fi
+elif command -v shasum >/dev/null 2>&1; then
+  if ! (cd /tmp && shasum -a 256 -c decky_client.py.sha256); then
+    echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2
+    rm -f "${decky_client}" "${decky_client_checksum}"
+    exit 1
+  fi
+else
+  echo "Warning: No checksum tool available (sha256sum or shasum). Skipping integrity verification." >&2
+  echo "This is a security risk. Consider installing sha256sum or shasum." >&2
+fi
+
+# Install the plugin
+python3 "${decky_client}" install \
+  --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \
+  --target-id "${DECKY_PLUGIN_TARGET_ID}"
+
+# Configure the custom store URL for future use
+python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins"
+
+# Clean up
+rm -f "${decky_client}" "${decky_client_checksum}"