From 1b97b24016151b7f1235677f8f78d7376836caa8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 14:57:06 +0000
Subject: [PATCH 1/2] Initial plan


From a81f71d8cc09c3cb2dde17110aa11f894790317a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 15:05:05 +0000
Subject: [PATCH 2/2] fix: sha256sum --ignore-missing silently passes when no
 entry matches binary name

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 templates/1es-base.yml  |  6 +++---
 templates/base.yml      | 10 +++++-----
 tests/compiler_tests.rs |  8 ++++++--
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/templates/1es-base.yml b/templates/1es-base.yml
index 4dad52e..f46ea95 100644
--- a/templates/1es-base.yml
+++ b/templates/1es-base.yml
@@ -67,7 +67,7 @@ extends:
 
                       echo "Verifying checksum..."
                       cd "$DOWNLOAD_DIR"
-                      sha256sum -c checksums.txt --ignore-missing
+                      grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                       mv ado-aw-linux-x64 ado-aw
                       chmod +x ado-aw
                     displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -182,7 +182,7 @@ extends:
 
                   echo "Verifying checksum..."
                   cd "$DOWNLOAD_DIR"
-                  sha256sum -c checksums.txt --ignore-missing
+                  grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                   mv ado-aw-linux-x64 ado-aw
                   chmod +x ado-aw
                 displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -327,7 +327,7 @@ extends:
 
                   echo "Verifying checksum..."
                   cd "$DOWNLOAD_DIR"
-                  sha256sum -c checksums.txt --ignore-missing
+                  grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                   mv ado-aw-linux-x64 ado-aw
                   chmod +x ado-aw
                 displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
diff --git a/templates/base.yml b/templates/base.yml
index 0852b60..b9ad88f 100644
--- a/templates/base.yml
+++ b/templates/base.yml
@@ -65,7 +65,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -185,7 +185,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "awf-linux-x64" checksums.txt | sha256sum -c -
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
@@ -325,7 +325,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -346,7 +346,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "awf-linux-x64" checksums.txt | sha256sum -c -
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
@@ -523,7 +523,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
diff --git a/tests/compiler_tests.rs b/tests/compiler_tests.rs
index 23677cc..484a659 100644
--- a/tests/compiler_tests.rs
+++ b/tests/compiler_tests.rs
@@ -145,8 +145,12 @@ fn test_compiled_yaml_structure() {
         "Template should download the compiler from GitHub Releases"
     );
     assert!(
-        template_content.contains("sha256sum -c checksums.txt --ignore-missing"),
-        "Template should verify checksum using checksums.txt"
+        !template_content.contains("sha256sum -c checksums.txt --ignore-missing"),
+        "Template should not use --ignore-missing which silently passes when binary is missing from checksums"
+    );
+    assert!(
+        template_content.contains(r#"grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -"#),
+        "Template should verify ado-aw checksum using targeted grep to ensure binary entry exists"
     );
 
     // Verify AWF (Agentic Workflow Firewall) is downloaded from GitHub Releases, not ADO pipeline artifacts