From 9ab34cd1d5b6190fc36eae63f3a5ca214adea3ae Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:19:35 +0000
Subject: Add SHA256 checksum verification for decky_client.py downloads

Co-authored-by: tranch <5999732+tranch@users.noreply.github.com>
---
 .github/workflows/release-on-tag.yml |  5 ++++
 user_install_script.sh               | 50 ++++++++++++++++++++++++++++--------
 2 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release-on-tag.yml b/.github/workflows/release-on-tag.yml
index 5512646..92dc816 100644
--- a/.github/workflows/release-on-tag.yml
+++ b/.github/workflows/release-on-tag.yml
@@ -25,6 +25,10 @@ jobs:
           sed -i "s|__DECKY_PLUGIN_ID__|${PLUGIN_ID}|g" user_install_script.sh
           sed -i "s|__DECKY_MIRROR_HOST__|$MIRROR_HOST|g" decky_installer.desktop
 
+      - name: Generate checksum for decky_client.py
+        run: |
+          sha256sum decky_client.py > decky_client.py.sha256
+
       - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         with:
@@ -33,4 +37,5 @@ jobs:
           files: |
             user_install_script.sh
             decky_client.py
+            decky_client.py.sha256
             decky_installer.desktop
diff --git a/user_install_script.sh b/user_install_script.sh
index 247f0e2..cb76b57 100644
--- a/user_install_script.sh
+++ b/user_install_script.sh
@@ -34,17 +34,47 @@ if [ "$SKIP_DECKY_INSTALL" != true ]; then
   bash "${tmp_script}"
 fi
 
-# Download and run Decky Loader client (mirror-hosted).
+# Download and verify Decky Loader client (mirror-hosted).
 decky_client="/tmp/decky_client.py"
-if curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then
-  # Install the plugin
-  python3 "${decky_client}" install \
-    --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \
-    --target-id "${DECKY_PLUGIN_TARGET_ID}"
-  
-  # Configure the custom store URL for future use
-  python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins"
-else
+decky_client_checksum="/tmp/decky_client.py.sha256"
+
+# Download the client script
+if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then
   echo "Failed to download Decky Loader client script." >&2
   exit 1
 fi
+
+# Download the checksum file
+if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py.sha256" -o "${decky_client_checksum}"; then
+  echo "Failed to download checksum file for Decky Loader client." >&2
+  exit 1
+fi
+
+# Verify the checksum
+if command -v sha256sum >/dev/null 2>&1; then
+  if ! (cd /tmp && sha256sum -c decky_client.py.sha256); then
+    echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2
+    rm -f "${decky_client}" "${decky_client_checksum}"
+    exit 1
+  fi
+elif command -v shasum >/dev/null 2>&1; then
+  if ! (cd /tmp && shasum -a 256 -c decky_client.py.sha256); then
+    echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2
+    rm -f "${decky_client}" "${decky_client_checksum}"
+    exit 1
+  fi
+else
+  echo "Warning: No checksum tool available (sha256sum or shasum). Skipping integrity verification." >&2
+  echo "This is a security risk. Consider installing sha256sum or shasum." >&2
+fi
+
+# Install the plugin
+python3 "${decky_client}" install \
+  --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \
+  --target-id "${DECKY_PLUGIN_TARGET_ID}"
+
+# Configure the custom store URL for future use
+python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins"
+
+# Clean up
+rm -f "${decky_client}" "${decky_client_checksum}"
-- 
cgit v1.2.3