mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-06-03 21:08:13 +02:00
BigBodyCobain
c2c9748ab5
start.bat and start.sh only checked the source-tree DLL path (``privacy-core/target/release/privacy_core.dll``), not the bundled location where MSI/AppImage/DMG installers stage the library directly next to the script in backend-runtime/. Users running start.bat from inside an MSI install dir (a documented workaround when the desktop shell crashes) saw a scary "install Rust" warning even though the DLL was sitting right next to them. See issue #319 for the user-reported confusion. Fix: add a fallback check for the bundled location before falling through to the "build privacy-core from source" warning. Source-tree behavior unchanged — the source path is still preferred when present. Also re-stamps the v0.9.81 source archive: ``release_digests.json`` v0.9.81 zip hash updated to point at the rebuilt source archive that contains these script changes. MSI/EXE/sig hashes are unchanged (the scripts live at the repo root, not inside the desktop bundle). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
51 lines
2.7 KiB
JSON
51 lines
2.7 KiB
JSON
{
|
|
"_comment": [
|
|
"Baked-in SHA-256 digests for known Shadowbroker release archives.",
|
|
"",
|
|
"Issue #231: the self-updater previously skipped integrity verification",
|
|
"entirely whenever the MESH_UPDATE_SHA256 env var was unset (which is the",
|
|
"default — nothing in the install docs tells operators to set it). That",
|
|
"made the auto-update a supply-chain RCE on any compromise of the GitHub",
|
|
"release pipeline.",
|
|
"",
|
|
"The fix uses a multi-source verification chain mirroring the Tor bundle",
|
|
"digest approach in #201:",
|
|
"",
|
|
" 1. MESH_UPDATE_SHA256 env var (operator override, preserved)",
|
|
" 2. SHA256SUMS.txt asset published alongside each release (primary —",
|
|
" the maintainer's release process already publishes this)",
|
|
" 3. This baked-in digest list (second line of defense for releases",
|
|
" missing a SHA256SUMS asset, or when the asset can't be fetched)",
|
|
" 4. HTTPS-only fallback with a loud warning (preserves auto-update",
|
|
" flow during transient outages so users don't get stuck)",
|
|
"",
|
|
"Mismatch from a source that DID respond is fatal — the update is",
|
|
"refused and the existing install keeps running. Only the 'no source",
|
|
"reachable at all' case falls back to HTTPS-only.",
|
|
"",
|
|
"Format: each entry is keyed by release tag and maps asset filenames",
|
|
"to their canonical SHA-256 digest (hex, lowercase). The updater",
|
|
"compares the locally-computed digest of the downloaded asset against",
|
|
"the value here.",
|
|
"",
|
|
"When the maintainer ships a new release, add its digests here BEFORE",
|
|
"removing the old ones so operators on the old code still validate",
|
|
"against the previous entries during the transition."
|
|
],
|
|
"v0.9.79": {
|
|
"ShadowBroker_v0.9.79.zip": "f6877c1d66614525315ea82636ce9f7b41178332c4dbf90d27431a1ea1d9cd47",
|
|
"ShadowBroker_0.9.79_x64-setup.exe": "f7b676ada45cac7da05868b0a353678c9ee700e3abcf456a7c0c038c36da446f",
|
|
"ShadowBroker_0.9.79_x64_en-US.msi": "e0713c3cdda184cfbea750bfac0d62a35678fec00847e6476f2cac8e7e42046e"
|
|
},
|
|
"v0.9.8": {
|
|
"ShadowBroker_v0.9.8.zip": "183bb5cd62b9b9349d95df5ef7696cb6ca810ab4b991fa9dab6f898af4c7a175",
|
|
"ShadowBroker_0.9.8_x64-setup.exe": "94a0309862e9c81c92cdcbfea8eec9dbb97eef19ded82b26217b397defbc810c",
|
|
"ShadowBroker_0.9.8_x64_en-US.msi": "fe22f9d51e4360d74c18a7250c2fbb9ed4fa4c7a884b3ac0d04a21115466386b"
|
|
},
|
|
"v0.9.81": {
|
|
"ShadowBroker_v0.9.81.zip": "31e5273253f329746ca2c4dc3f1da47e50a30981759b33056b3174e6474b9e4b",
|
|
"ShadowBroker_0.9.81_x64-setup.exe": "eca884b9d37eeccd0f11c91dcc6f6ae1b3609d9dee72bd73c37c9a427babfef2",
|
|
"ShadowBroker_0.9.81_x64_en-US.msi": "a45b177c26c95d2b28d71592d7147e88ff4e104865f214fde11249d311ec9e25"
|
|
}
|
|
}
|