Skip to content

[runtime-threat-scan] install_antigravity_cli.sh: SHA256 checksum silently skipped on HTTP 404 #141

Description

@github-actions

Summary

setup/sh/install_antigravity_cli.sh silently skips checksum verification when the checksums.txt file returns HTTP 404 (lines 86–89). The binary is then installed to /usr/local/bin/agy without any integrity guarantee.

if [ "${CHECKSUMS_DOWNLOAD_STATUS}" = "404" ]; then
  echo "WARNING: checksums.txt not found for version ${VERSION}; skipping checksum verification."
  VERIFY_CHECKSUM=false
fi

Risk

If an attacker can remove or prevent delivery of checksums.txt from the GCS bucket (or a version is published before its checksum file), a tampered binary tarball from storage.googleapis.com/antigravity-public/ would be installed on the runner without detection. All other HTTP errors (non-200, non-404) correctly abort with an error.

Recommended Fix

Replace the 404 soft-skip with a hard failure:

if [ "${CHECKSUMS_DOWNLOAD_STATUS}" != "200" ]; then
  echo "ERROR: Failed to download checksums.txt (HTTP ${CHECKSUMS_DOWNLOAD_STATUS})"
  exit 1
fi

If older versions genuinely lack a checksums.txt, maintain an explicit allowlist of known-legacy versions rather than silently bypassing for any 404.

Generated by Daily Runtime Threat Scan · ● 33.1M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions