mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-30 10:59:34 +02:00
Shadowbroker
e6aba86ce1
Re-cut v0.9.81 binaries from current main (which now includes the private gate + DM hashchain spool from #326 and the gate-directory test from #327). All three artifacts were signed with the same minisign updater key as the original v0.9.81 release, so existing v0.9.81 installs on Tauri auto-update accept the new bundles. Updated hashes (verified against released assets): - ShadowBroker_v0.9.81.zip f81f454bdc88e9a32c351df38212b8cfa624704d65764b971bb091eef62259c6 - ShadowBroker_0.9.81_x64-setup.exe 25e9a95d0d8ce959a7d08fe8e7406772ae24b596652793e81d1de5d02510a5a6 - ShadowBroker_0.9.81_x64_en-US.msi 34e655fc0c0f195ee4ac978f228a4b2b9d5565253b8771aca9ef4693409e9e70 Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
51 lines
2.7 KiB
JSON
51 lines
2.7 KiB
JSON
{
|
|
"_comment": [
|
|
"Baked-in SHA-256 digests for known Shadowbroker release archives.",
|
|
"",
|
|
"Issue #231: the self-updater previously skipped integrity verification",
|
|
"entirely whenever the MESH_UPDATE_SHA256 env var was unset (which is the",
|
|
"default — nothing in the install docs tells operators to set it). That",
|
|
"made the auto-update a supply-chain RCE on any compromise of the GitHub",
|
|
"release pipeline.",
|
|
"",
|
|
"The fix uses a multi-source verification chain mirroring the Tor bundle",
|
|
"digest approach in #201:",
|
|
"",
|
|
" 1. MESH_UPDATE_SHA256 env var (operator override, preserved)",
|
|
" 2. SHA256SUMS.txt asset published alongside each release (primary —",
|
|
" the maintainer's release process already publishes this)",
|
|
" 3. This baked-in digest list (second line of defense for releases",
|
|
" missing a SHA256SUMS asset, or when the asset can't be fetched)",
|
|
" 4. HTTPS-only fallback with a loud warning (preserves auto-update",
|
|
" flow during transient outages so users don't get stuck)",
|
|
"",
|
|
"Mismatch from a source that DID respond is fatal — the update is",
|
|
"refused and the existing install keeps running. Only the 'no source",
|
|
"reachable at all' case falls back to HTTPS-only.",
|
|
"",
|
|
"Format: each entry is keyed by release tag and maps asset filenames",
|
|
"to their canonical SHA-256 digest (hex, lowercase). The updater",
|
|
"compares the locally-computed digest of the downloaded asset against",
|
|
"the value here.",
|
|
"",
|
|
"When the maintainer ships a new release, add its digests here BEFORE",
|
|
"removing the old ones so operators on the old code still validate",
|
|
"against the previous entries during the transition."
|
|
],
|
|
"v0.9.79": {
|
|
"ShadowBroker_v0.9.79.zip": "f6877c1d66614525315ea82636ce9f7b41178332c4dbf90d27431a1ea1d9cd47",
|
|
"ShadowBroker_0.9.79_x64-setup.exe": "f7b676ada45cac7da05868b0a353678c9ee700e3abcf456a7c0c038c36da446f",
|
|
"ShadowBroker_0.9.79_x64_en-US.msi": "e0713c3cdda184cfbea750bfac0d62a35678fec00847e6476f2cac8e7e42046e"
|
|
},
|
|
"v0.9.8": {
|
|
"ShadowBroker_v0.9.8.zip": "183bb5cd62b9b9349d95df5ef7696cb6ca810ab4b991fa9dab6f898af4c7a175",
|
|
"ShadowBroker_0.9.8_x64-setup.exe": "94a0309862e9c81c92cdcbfea8eec9dbb97eef19ded82b26217b397defbc810c",
|
|
"ShadowBroker_0.9.8_x64_en-US.msi": "fe22f9d51e4360d74c18a7250c2fbb9ed4fa4c7a884b3ac0d04a21115466386b"
|
|
},
|
|
"v0.9.81": {
|
|
"ShadowBroker_v0.9.81.zip": "f81f454bdc88e9a32c351df38212b8cfa624704d65764b971bb091eef62259c6",
|
|
"ShadowBroker_0.9.81_x64-setup.exe": "25e9a95d0d8ce959a7d08fe8e7406772ae24b596652793e81d1de5d02510a5a6",
|
|
"ShadowBroker_0.9.81_x64_en-US.msi": "34e655fc0c0f195ee4ac978f228a4b2b9d5565253b8771aca9ef4693409e9e70"
|
|
}
|
|
}
|