fix: sha256sum --ignore-missing silently passes when binary is absent from checksums.txt

templates/1es-base.yml

@@ -67,7 +67,7 @@ extends:
 
                       echo "Verifying checksum..."
                       cd "$DOWNLOAD_DIR"
-                      sha256sum -c checksums.txt --ignore-missing
+                      grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                       mv ado-aw-linux-x64 ado-aw
                       chmod +x ado-aw
                     displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -182,7 +182,7 @@ extends:
 
                   echo "Verifying checksum..."
                   cd "$DOWNLOAD_DIR"
-                  sha256sum -c checksums.txt --ignore-missing
+                  grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                   mv ado-aw-linux-x64 ado-aw
                   chmod +x ado-aw
                 displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -327,7 +327,7 @@ extends:
 
                   echo "Verifying checksum..."
                   cd "$DOWNLOAD_DIR"
-                  sha256sum -c checksums.txt --ignore-missing
+                  grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
                   mv ado-aw-linux-x64 ado-aw
                   chmod +x ado-aw
                 displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"

templates/base.yml

@@ -65,7 +65,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -185,7 +185,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "awf-linux-x64" checksums.txt | sha256sum -c -
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
@@ -325,7 +325,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"
@@ -346,7 +346,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "awf-linux-x64" checksums.txt | sha256sum -c -
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
@@ -523,7 +523,7 @@ jobs:
 
           echo "Verifying checksum..."
           cd "$DOWNLOAD_DIR"
-          sha256sum -c checksums.txt --ignore-missing
+          grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -
           mv ado-aw-linux-x64 ado-aw
           chmod +x ado-aw
         displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"

tests/compiler_tests.rs

@@ -145,8 +145,12 @@ fn test_compiled_yaml_structure() {
         "Template should download the compiler from GitHub Releases"
     );
     assert!(
-        template_content.contains("sha256sum -c checksums.txt --ignore-missing"),
-        "Template should verify checksum using checksums.txt"
+        !template_content.contains("sha256sum -c checksums.txt --ignore-missing"),
+        "Template should not use --ignore-missing which silently passes when binary is missing from checksums"
+    );
+    assert!(
+        template_content.contains(r#"grep "ado-aw-linux-x64" checksums.txt | sha256sum -c -"#),
+        "Template should verify ado-aw checksum using targeted grep to ensure binary entry exists"
     );
 
     // Verify AWF (Agentic Workflow Firewall) is downloaded from GitHub Releases, not ADO pipeline artifacts