diff --git a/packages/cli/bundle-tools.json b/packages/cli/bundle-tools.json index 98d1497e7..609780051 100644 --- a/packages/cli/bundle-tools.json +++ b/packages/cli/bundle-tools.json @@ -47,7 +47,10 @@ "repository": "github:SocketDev/socket-basics", "release": "archive", "version": "v2.0.2", - "packageManager": "pip" + "packageManager": "pip", + "checksums": { + "socket-basics-v2.0.2.tar.gz": "ba175171f07ac927eb926387e526283320630e80da42da000ec6894a55adeb13" + } }, "socketsecurity": { "description": "Socket Python CLI (socket-python-cli)", diff --git a/packages/cli/scripts/sea-build-utils/downloads.mts b/packages/cli/scripts/sea-build-utils/downloads.mts index cdffbba16..751b7671b 100644 --- a/packages/cli/scripts/sea-build-utils/downloads.mts +++ b/packages/cli/scripts/sea-build-utils/downloads.mts @@ -538,6 +538,17 @@ export async function downloadExternalTools(platform, arch, isMusl = false) { const releaseVersion = socketBasicsConfig.version const version = releaseVersion.replace(/^v/, '') // Remove 'v' prefix for version + // Checksum key matches the local filename convention used for + // archive-style releases (`socket-basics-v.tar.gz`). + const archiveKey = `socket-basics-${releaseVersion}.tar.gz` + const archiveSha256 = socketBasicsConfig.checksums?.[archiveKey] + if (!archiveSha256) { + throw new Error( + `Missing SHA-256 checksum for socket-basics archive: ${archiveKey}. ` + + 'Please update bundle-tools.json with the correct checksum.', + ) + } + logger.log(` Installing socket_basics ${version} from GitHub...`) // Download source tarball from GitHub. @@ -551,6 +562,7 @@ export async function downloadExternalTools(platform, arch, isMusl = false) { progressInterval: 10, retries: 2, retryDelay: 5_000, + sha256: archiveSha256, }) // Install from tarball using pip (handles building and dependencies).