fix(install): make checksum verification mandatory

e2e/install/sh_test.sh

@@ -68,6 +68,32 @@ test_guidance_mentions_restart() {
   assert_output_contains "$INSTALL_OUTPUT" "restart your shell" "mentions shell restart"
 }
 
+test_skip_checksum_env() {
+  printf 'TEST: OPENSHELL_NO_VERIFY=1 skips checksum verification\n'
+
+  _skip_base="$(mktemp -d)"
+  _skip_dir="${_skip_base}/bin"
+  _skip_output="$(OPENSHELL_NO_VERIFY=1 \
+    OPENSHELL_INSTALL_DIR="$_skip_dir" \
+    SHELL="/bin/sh" \
+    PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" \
+    sh "$INSTALL_SCRIPT" 2>&1)" || {
+    fail "install succeeds with OPENSHELL_NO_VERIFY=1" "exit code: $?"
+    rm -rf "$_skip_base"
+    return 1
+  }
+
+  assert_output_contains "$_skip_output" "checksum verification skipped" \
+    "shows checksum skip message"
+
+  if [ -f "$_skip_dir/openshell" ]; then
+    pass "binary installed with checksum skip"
+  else
+    fail "binary installed with checksum skip" "not found at $_skip_dir/openshell"
+  fi
+  rm -rf "$_skip_base"
+}
+
 test_no_env_scripts_created() {
   printf 'TEST: no env scripts are created in install dir\n'
 
@@ -100,6 +126,7 @@ test_binary_runs;                 echo ""
 test_guidance_shows_export_path;  echo ""
 test_guidance_mentions_not_on_path; echo ""
 test_guidance_mentions_restart;   echo ""
+test_skip_checksum_env;           echo ""
 test_no_env_scripts_created
 
 print_summary

install.sh

@@ -13,6 +13,7 @@
 # Environment variables:
 #   OPENSHELL_VERSION     - Release tag to install (default: latest tagged release)
 #   OPENSHELL_INSTALL_DIR - Directory to install into (default: ~/.local/bin)
+#   OPENSHELL_NO_VERIFY   - Set to "1" to skip checksum verification (not recommended)
 #
 set -eu
 
@@ -50,11 +51,13 @@ USAGE:
     ./install.sh [OPTIONS]
 
 OPTIONS:
-    --help    Print this help message
+    --help                Print this help message
+    --no-verify-checksum  Skip SHA-256 checksum verification (not recommended)
 
 ENVIRONMENT VARIABLES:
     OPENSHELL_VERSION       Release tag to install (default: latest tagged release)
     OPENSHELL_INSTALL_DIR   Directory to install into (default: ~/.local/bin)
+    OPENSHELL_NO_VERIFY     Set to "1" to skip checksum verification (not recommended)
 
 EXAMPLES:
     # Install latest release
@@ -65,6 +68,9 @@ EXAMPLES:
 
     # Install to /usr/local/bin
     curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_INSTALL_DIR=/usr/local/bin sh
+
+    # Skip checksum verification (not recommended)
+    curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_NO_VERIFY=1 sh
 EOF
 }
 
@@ -180,20 +186,18 @@ verify_checksum() {
   _vc_checksums="$2"
   _vc_filename="$3"
 
-  _vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')"
+  _vc_expected="$(awk -v fname="$_vc_filename" '$2 == fname { print $1 }' "$_vc_checksums")"
 
   if [ -z "$_vc_expected" ]; then
-    warn "no checksum found for $_vc_filename, skipping verification"
-    return 0
+    error "no checksum found for $_vc_filename in checksums file (set OPENSHELL_NO_VERIFY=1 or use --no-verify-checksum to skip)"
   fi
 
   if has_cmd shasum; then
     echo "$_vc_expected  $_vc_archive" | shasum -a 256 -c --quiet 2>/dev/null
   elif has_cmd sha256sum; then
     echo "$_vc_expected  $_vc_archive" | sha256sum -c --quiet 2>/dev/null
   else
-    warn "sha256sum/shasum not found, skipping checksum verification"
-    return 0
+    error "sha256sum or shasum is required for checksum verification (install coreutils, set OPENSHELL_NO_VERIFY=1, or use --no-verify-checksum to skip)"
   fi
 }
 
@@ -223,13 +227,23 @@ is_on_path() {
 # ---------------------------------------------------------------------------
 
 main() {
+  # Normalise OPENSHELL_NO_VERIFY to "1" or "0".
+  # Accept common truthy values: 1, true, yes, y (case-insensitive).
+  case "$(printf '%s' "${OPENSHELL_NO_VERIFY:-}" | tr '[:upper:]' '[:lower:]')" in
+    1|true|yes|y) _skip_checksum=1 ;;
+    *)            _skip_checksum=0 ;;
+  esac
+
   # Parse CLI flags
   for arg in "$@"; do
     case "$arg" in
       --help)
         usage
         exit 0
         ;;
+      --no-verify-checksum)
+        _skip_checksum=1
+        ;;
       *)
         error "unknown option: $arg"
         ;;
@@ -255,13 +269,17 @@ main() {
   fi
 
   # Verify checksum
-  info "verifying checksum..."
-  if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
-    if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
-      error "checksum verification failed for ${_filename}"
-    fi
+  if [ "$_skip_checksum" = "1" ]; then
+    warn "checksum verification skipped (OPENSHELL_NO_VERIFY=1 or --no-verify-checksum)"
   else
-    warn "could not download checksums file, skipping verification"
+    info "verifying checksum..."
+    if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
+      if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
+        error "checksum verification failed for ${_filename}"
+      fi
+    else
+      error "failed to download checksums file from ${_checksums_url} (set OPENSHELL_NO_VERIFY=1 or use --no-verify-checksum to skip verification)"
+    fi
   fi
 
   # Extract