From 8f7b1b464b6237902985413ac6f2526c70c22d05 Mon Sep 17 00:00:00 2001
From: Jernej Kos <jernej@kos.mx>
Date: Thu, 16 Jan 2025 14:14:30 +0100
Subject: [PATCH] feat(cmd/rofl): Verify integrity of cached artifacts

---
 cmd/rofl/build/artifacts.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/cmd/rofl/build/artifacts.go b/cmd/rofl/build/artifacts.go
index 7e44418..b4a3054 100644
--- a/cmd/rofl/build/artifacts.go
+++ b/cmd/rofl/build/artifacts.go
@@ -63,7 +63,16 @@ func maybeDownloadArtifact(kind, uri string) string {
 	switch {
 	case err == nil:
 		// Already exists in cache.
-		// TODO: Verify checksum and discard if invalid.
+		if knownHash != "" {
+			h := sha256.New()
+			if _, err = io.Copy(h, f); err != nil {
+				cobra.CheckErr(fmt.Errorf("failed to verify cached %s artifact: %w", kind, err))
+			}
+			artifactHash := fmt.Sprintf("%x", h.Sum(nil))
+			if artifactHash != knownHash {
+				cobra.CheckErr(fmt.Errorf("corrupted cached %s artifact file '%s' (expected: %s got: %s)", kind, cacheFn, knownHash, artifactHash))
+			}
+		}
 		f.Close()
 
 		fmt.Printf("  (using cached artifact)\n")