Skip to content

fix: sha256sum --ignore-missing silently passes when binary is absent from checksums.txt#47

Merged
jamesadevine merged 2 commits intomainfrom
copilot/fix-sha256sum-silent-exit
Mar 17, 2026
Merged

fix: sha256sum --ignore-missing silently passes when binary is absent from checksums.txt#47
jamesadevine merged 2 commits intomainfrom
copilot/fix-sha256sum-silent-exit

Conversation

Copy link
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

sha256sum -c checksums.txt --ignore-missing exits 0 when every file listed in checksums.txt is absent from disk — meaning if the downloaded binary name doesn't appear in the checksum file at all, verification silently succeeds and a swapped/corrupted binary passes undetected.

Changes

  • templates/base.yml — Replace all 5 checksum verification lines (3× ado-aw-linux-x64, 2× awf-linux-x64) with a targeted grep-pipe approach
  • templates/1es-base.yml — Same fix for 3× ado-aw-linux-x64 download steps
  • tests/compiler_tests.rs — Update assertion to verify the new pattern is present and the old --ignore-missing pattern is absent

Before / After

# Before — silent pass if binary name missing from checksums.txt
sha256sum -c checksums.txt --ignore-missing

# After — grep fails with exit 1 if entry absent; sha256sum verifies without --ignore-missing
grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -

grep returning exit 1 on a missing entry propagates as a pipeline failure, eliminating the silent-pass vulnerability. Same pattern applied to awf-linux-x64 downloads.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.github.com (HTTP Only)
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-0d9946b44b5e2a43.a/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-12332330a3699062.0tq789a8vmenn07qp0vvf0dwx.05hgysj.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-0d9946b44b5e2a43.a/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-12332330a3699062.0tzcushkpgwxcr6sv53al5k17.05hgysj.rcgu.o 31r0dix20kr3skbjuuiyfs9p.1rv36bt.rcgu.o f983stzxmcqm183e5fj80tdk.1rv36bt.rcgu.o g17sk3czgm48iabfal8dyx7h.1rv36bt.rcgu.o ldwcgqf6z6ca1erbqvnm55pb.1rv36bt.rcgu.o q7ni8a30k6p3i4cy1i2iz51d.1rv36bt.rcgu.o sbrhf1x2sgxffk8b8hd1llvu.1rv36bt.rcgu.o 6we6jx0bkgt3jcjli55d5bvt.1rv36bt.rcgu.o 9p24xt9ayuj3yew22soxmrof.1rv36bt.rcgu.o jqq7gsagtt1mmt21cgtf29rq.1rv36bt.rcgu.o pwq4ph85phzpwz3x7nqops16.1rv36bt.rcgu.o rx69uilathex2942d9y10pla.1rv36bt.rcgu.o tn2jiuz7zzj48ogq61benz0o.1rv36bt.rcgu.o 77xkoqd5bwrczxu1godtun7e.1rv36bt.rcgu.o ggbp88eaerqa2hprceyhcpyc.1rv36bt.rcgu.o (packet block)
  • dev.azure.com
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com g17sk3czgm48iabfal8dyx7h.1rv36bt.rcgu.o ldwcgqf6z6ca1erbqvnm55pb.1rv36bt.rcgu.o q7ni8a30k6p3i4cy1i2iz51d.1rv36bt.rcgu.o sbrhf1x2sgxffk8b8hd1llvu.1rv36bt.rcgu.o 6we6jx0bkgt3jcjli55d5bvt.1rv36bt.rcgu.o 9p24xt9ayuj3yew22soxmrof.1rv36bt.rcgu.o jqq7gsagtt1mmt21cgtf29rq.1rv36bt.rcgu.o pwq4ph85phzpwz3x7nqops16.1rv36bt.rcgu.o rx69uilathex2942d9y10pla.1rv36bt.rcgu.o tn2jiuz7zzj48ogq61benz0o.1rv36bt.rcgu.o 77xkoqd5bwrczxu1godtun7e.1rv36bt.rcgu.o ggbp88eaerqa2hprceyhcpyc.1rv36bt.rcgu.o (dns block)
  • msazuresphere.visualstudio.com
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com g17sk3czgm48iabfal8dyx7h.1rv36bt.rcgu.o ldwcgqf6z6ca1erbqvnm55pb.1rv36bt.rcgu.o q7ni8a30k6p3i4cy1i2iz51d.1rv36bt.rcgu.o sbrhf1x2sgxffk8b8hd1llvu.1rv36bt.rcgu.o 6we6jx0bkgt3jcjli55d5bvt.1rv36bt.rcgu.o 9p24xt9ayuj3yew22soxmrof.1rv36bt.rcgu.o jqq7gsagtt1mmt21cgtf29rq.1rv36bt.rcgu.o pwq4ph85phzpwz3x7nqops16.1rv36bt.rcgu.o rx69uilathex2942d9y10pla.1rv36bt.rcgu.o tn2jiuz7zzj48ogq61benz0o.1rv36bt.rcgu.o 77xkoqd5bwrczxu1godtun7e.1rv36bt.rcgu.o ggbp88eaerqa2hprceyhcpyc.1rv36bt.rcgu.o (dns block)
  • raw.github.com
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com embed-bitcode=no -C debuginfo=2 --cfg feature="default" --cfg feature="std" --check-cfg lib/�� 759b226da/rustcO/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/schemars_derive-486665cf5f9386cc 759b226da/build_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/schemars_derive-486665cf5f9386-m64 lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/rustc lib/rustlib/x86_--crate-name lib/rustlib/x86_terminal_size lib/rustlib/x86_--edition=2021 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>fix: sha256sum --ignore-missing silently passes when no entry matches binary name</issue_title>
<issue_description>sha256sum -c checksums.txt --ignore-missing exits 0 if all listed files happen to be missing (the --ignore-missing flag suppresses "no such file" errors entirely). If checksums.txt contains no entry matching the downloaded binary name, verification silently passes — meaning a corrupted or swapped binary could slip through.

Suggested fix: After the sha256sum call, add an explicit check that the expected binary was actually verified. Options:

  1. Add --strict flag (if supported by the target sha256sum version)
  2. Post-check that the binary filename appears in the checksums output:
    �ash sha256sum -c checksums.txt --ignore-missing 2>&1 | grep -q "ado-aw-linux-x64"
  3. Use a targeted checksum line instead of the full checksums.txt:
    �ash grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -

This applies to all download steps in both templates/base.yml and templates/1es-base.yml (ado-aw compiler downloads and AWF firewall downloads).

From PR #43 review feedback.
</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@jamesadevine
fix: sha256sum --ignore-missing silently passes when no entry matches…
a81f71d 
… binary name

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix sha256sum silent pass issue with missing entries fix: sha256sum --ignore-missing silently passes when binary is absent from checksums.txt Mar 17, 2026
Copilot AI requested a review from jamesadevine March 17, 2026 15:05
@jamesadevine jamesadevine marked this pull request as ready for review March 17, 2026 16:04
@jamesadevine jamesadevine merged commit 26c03c4 into main Mar 17, 2026
6 checks passed
@jamesadevine jamesadevine deleted the copilot/fix-sha256sum-silent-exit branch March 17, 2026 17:21
@github-actions github-actions bot mentioned this pull request Mar 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamesadevine jamesadevine Awaiting requested review from jamesadevine

Assignees

@jamesadevine jamesadevine

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: sha256sum --ignore-missing silently passes when no entry matches binary name

2 participants

@jamesadevine