Install: verify prebuilt binaries with Subresource Integrity check

2025-12-19 07:15:08 +01:00 · 2021-12-12 18:49:17 +00:00
parent 3da258f6fb
commit 3b492ea423
6 changed files with 85 additions and 5 deletions
--- a/install/libvips.js
+++ b/install/libvips.js
@@ -5,6 +5,7 @@ const os = require('os');
 const path = require('path');
 const stream = require('stream');
 const zlib = require('zlib');
+const { createHash } = require('crypto');

 const detectLibc = require('detect-libc');
 const semverLessThan = require('semver/functions/lt');
@@ -55,6 +56,33 @@ const handleError = function (err) {
  }
 };

+const verifyIntegrity = function (platformAndArch) {
+  const expected = libvips.integrity(platformAndArch);
+  if (installationForced || !expected) {
+    libvips.log(`Integrity check skipped for ${platformAndArch}`);
+    return new stream.PassThrough();
+  }
+  const hash = createHash('sha512');
+  return new stream.Transform({
+    transform: function (chunk, _encoding, done) {
+      hash.update(chunk);
+      done(null, chunk);
+    },
+    flush: function (done) {
+      const digest = `sha512-${hash.digest('base64')}`;
+      if (expected !== digest) {
+        libvips.removeVendoredLibvips();
+        libvips.log(`Integrity expected: ${expected}`);
+        libvips.log(`Integrity received: ${digest}`);
+        done(new Error(`Integrity check failed for ${platformAndArch}`));
+      } else {
+        libvips.log(`Integrity check passed for ${platformAndArch}`);
+        done();
+      }
+    }
+  });
+};
+
 const extractTarball = function (tarPath, platformAndArch) {
  const versionedVendorPath = path.join(__dirname, '..', 'vendor', minimumLibvipsVersion, platformAndArch);
  libvips.mkdirSync(versionedVendorPath);
@@ -66,6 +94,7 @@ const extractTarball = function (tarPath, platformAndArch) {

  stream.pipeline(
    fs.createReadStream(tarPath),
+    verifyIntegrity(platformAndArch),
    new zlib.BrotliDecompress(),
    tarFs.extract(versionedVendorPath, { ignore }),
    function (err) {