(archivePath, expectedHash)
| 286 | } |
| 287 | |
| 288 | function verifyChecksum(archivePath, expectedHash) { |
| 289 | if (expectedHash === null) return; |
| 290 | |
| 291 | // Stream the file to avoid loading the entire archive into memory. |
| 292 | // Archives can be 10-100MB; streaming keeps RSS constant. |
| 293 | const hash = crypto.createHash("sha256"); |
| 294 | const fd = fs.openSync(archivePath, "r"); |
| 295 | try { |
| 296 | const buf = Buffer.alloc(64 * 1024); |
| 297 | let bytesRead; |
| 298 | while ((bytesRead = fs.readSync(fd, buf, 0, buf.length, null)) > 0) { |
| 299 | hash.update(buf.subarray(0, bytesRead)); |
| 300 | } |
| 301 | } finally { |
| 302 | fs.closeSync(fd); |
| 303 | } |
| 304 | const actual = hash.digest("hex"); |
| 305 | |
| 306 | if (actual.toLowerCase() !== expectedHash.toLowerCase()) { |
| 307 | throw new Error( |
| 308 | `[SECURITY] Checksum mismatch for ${path.basename(archivePath)}: expected ${expectedHash} but got ${actual}` |
| 309 | ); |
| 310 | } |
| 311 | } |
| 312 | |
| 313 | if (require.main === module) { |
| 314 | if (!platform || !arch) { |
no outgoing calls
no test coverage detected