feat: add checksum verification

- Add checksum module with SHA256, SHA512, and MD5 support
- Auto-detect checksum files in releases (.sha256, .sha512, .md5)
- Add --verify flag to install command
- Verify downloads against published checksums
- Support sha256sum-style checksum files

Part of v0.3.0 phase 2 (checksum verification).

Author: clawdeeo

Cargo.lock

@@ -32,7 +32,8 @@ indexmap = "=2.0.2"
 url = "=2.4.1"
 base64 = "=0.21.7"
 base64ct = "=1.6.0"
-atty = "=0.2.14"
+sha2 = "=0.10.8"
+md5 = "=0.7.0"
 
-[dev-dependencies]
+atty = "=0.2.14"
 assert_cmd = "2.0.12"

Cargo.toml

@@ -0,0 +1,136 @@
+use anyhow::{bail, Context, Result};
+use sha2::{Digest, Sha256, Sha512};
+use std::fs;
+use std::io::Read;
+use std::path::Path;
+
+/// Supported checksum algorithms
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ChecksumAlgorithm {
+    Sha256,
+    Sha512,
+    Md5,
+}
+
+/// Checksum file information
+#[derive(Debug, Clone)]
+#[allow(dead_code)]
+pub struct ChecksumFile {
+    pub algorithm: ChecksumAlgorithm,
+    pub filename: String,
+    pub expected_hash: String,
+}
+
+/// Detect if a filename is a checksum file
+pub fn is_checksum_file(filename: &str) -> Option<ChecksumAlgorithm> {
+    let lower = filename.to_lowercase();
+    if lower.ends_with(".sha256") || lower.contains(".sha256.") {
+        Some(ChecksumAlgorithm::Sha256)
+    } else if lower.ends_with(".sha512") || lower.contains(".sha512.") {
+        Some(ChecksumAlgorithm::Sha512)
+    } else if lower.ends_with(".md5") || lower.contains(".md5.") {
+        Some(ChecksumAlgorithm::Md5)
+    } else {
+        None
+    }
+}
+
+/// Find checksum file for a given asset in release assets
+pub fn find_checksum_file(
+    asset_name: &str,
+    assets: &[crate::github::Asset],
+) -> Option<(ChecksumAlgorithm, String)> {
+    // Try exact match patterns first
+    let patterns = vec![
+        format!("{}.sha256", asset_name),
+        format!("{}.sha512", asset_name),
+        format!("{}.md5", asset_name),
+    ];
+
+    for asset in assets {
+        for pattern in &patterns {
+            if asset.name == *pattern {
+                let algo = is_checksum_file(&asset.name)?;
+                return Some((algo, asset.browser_download_url.clone()));
+            }
+        }
+    }
+
+    // Try generic checksum files (checksums.txt, SHA256SUMS, etc.)
+    for asset in assets {
+        let name_lower = asset.name.to_lowercase();
+        if name_lower.contains("checksum") || name_lower.contains("sha256sum") {
+            return Some((
+                ChecksumAlgorithm::Sha256,
+                asset.browser_download_url.clone(),
+            ));
+        }
+    }
+
+    None
+}
+
+/// Verify file against expected checksum
+pub fn verify_file(file_path: &Path, expected: &str, algo: ChecksumAlgorithm) -> Result<()> {
+    let calculated = calculate_checksum(file_path, algo)?;
+    let expected_clean = expected.trim().to_lowercase();
+    let calculated_clean = calculated.to_lowercase();
+
+    if expected_clean != calculated_clean {
+        bail!(
+            "Checksum mismatch:\n  Expected:   {}\n  Calculated: {}",
+            expected_clean,
+            calculated_clean
+        );
+    }
+
+    Ok(())
+}
+
+/// Calculate checksum of a file
+pub fn calculate_checksum(file_path: &Path, algo: ChecksumAlgorithm) -> Result<String> {
+    let mut file = fs::File::open(file_path).context("Failed to open file for checksum")?;
+    let mut buffer = Vec::new();
+    file.read_to_end(&mut buffer)
+        .context("Failed to read file")?;
+
+    let hash = match algo {
+        ChecksumAlgorithm::Sha256 => {
+            let mut hasher = Sha256::new();
+            hasher.update(&buffer);
+            format!("{:x}", hasher.finalize())
+        }
+        ChecksumAlgorithm::Sha512 => {
+            let mut hasher = Sha512::new();
+            hasher.update(&buffer);
+            format!("{:x}", hasher.finalize())
+        }
+        ChecksumAlgorithm::Md5 => {
+            let hash = md5::compute(&buffer);
+            format!("{:x}", hash)
+        }
+    };
+
+    Ok(hash)
+}
+
+/// Parse checksum from checksum file content
+pub fn parse_checksum_file(content: &str, target_filename: &str) -> Option<String> {
+    for line in content.lines() {
+        let line = line.trim();
+        if line.is_empty() || line.starts_with('#') {
+            continue;
+        }
+
+        // Handle "HASH  filename" format (sha256sum style)
+        let parts: Vec<&str> = line.split_whitespace().collect();
+        if parts.len() >= 2 {
+            let hash = parts[0];
+            let filename = parts[1].trim_start_matches('*'); // Remove binary marker
+            if filename == target_filename {
+                return Some(hash.to_string());
+            }
+        }
+    }
+    None
+}

src/checksum.rs

@@ -19,6 +19,8 @@ pub enum Commands {
         force: bool,
         #[arg(long)]
         dry_run: bool,
+        #[arg(long)]
+        verify: bool,
     },
     List {
         #[arg(short, long)]

src/cli.rs

@@ -345,6 +345,18 @@ impl GithubClient {
 
         Ok(())
     }
+
+    /// Download text content from URL
+    pub async fn download_text(&self, url: &str) -> std::result::Result<String, GithubError> {
+        let resp = self.add_auth(self.client.get(url)).send().await?;
+        if !resp.status().is_success() {
+            return Err(GithubError::DownloadError(format!(
+                "HTTP {}",
+                resp.status()
+            )));
+        }
+        Ok(resp.text().await?)
+    }
 }
 
 /// Find the best matching asset for a given platform

src/github.rs

@@ -3,6 +3,7 @@ use std::fs;
 use std::path::{Path, PathBuf};
 use tracing::warn;
 
+use crate::checksum::{find_checksum_file, verify_file};
 use crate::config::Config;
 use crate::extract::extract_archive;
 use crate::github::{find_matching_asset, parse_package, Asset, GithubClient, Platform, Release};
@@ -13,6 +14,7 @@ pub async fn handle_install(
     package: &str,
     force: bool,
     dry_run: bool,
+    verify: bool,
     config: &Config,
 ) -> Result<()> {
     let (owner, repo, version) = parse_package(package)?;
@@ -63,6 +65,26 @@ pub async fn handle_install(
         .download_asset(asset, &download_path, config.download.show_progress)
         .await?;
 
+    // Verify checksum if requested or configured
+    if verify || config.download.verify_checksums {
+        if let Some((algo, checksum_url)) = find_checksum_file(&asset.name, &release.assets) {
+            let checksum_data = client.download_text(&checksum_url).await?;
+            if let Some(expected) =
+                crate::checksum::parse_checksum_file(&checksum_data, &asset.name)
+            {
+                if !config.output.quiet {
+                    println!("Verifying checksum...");
+                }
+                verify_file(&download_path, &expected, algo)?;
+                if !config.output.quiet {
+                    println!("Checksum verified");
+                }
+            }
+        } else if verify {
+            bail!("Checksum verification requested but no checksum file found");
+        }
+    }
+
     let pkg_install_dir = config.install_dir.join("packages").join(&key);
     fs::create_dir_all(&pkg_install_dir)?;
 
@@ -132,7 +154,7 @@ async fn update_one(package: &str, config: &Config) -> Result<()> {
         );
     }
     crate::registry::uninstall(package, &config.install_dir)?;
-    handle_install(package, false, false, config).await
+    handle_install(package, false, false, false, config).await
 }
 
 async fn update_all(config: &Config) -> Result<()> {

src/install.rs

@@ -1,3 +1,4 @@
+pub mod checksum;
 pub mod cli;
 pub mod config;
 pub mod extract;