How to Verify Checksums for Downloaded Tools in CI
Pin the expected SHA-256 and check it with sha256sum -c so a swapped or corrupted download aborts the job.
When you curl a tool into a build, record its known-good SHA-256 and verify it with sha256sum -c before running it. A mismatch exits non-zero, so a compromised mirror cannot slip a modified binary into your pipeline.
Steps
- Obtain the official SHA-256 for the version you pin.
- Download the file, then verify with
sha256sum -c. - Only chmod and run the binary after verification passes.
Terminal
Terminal
EXPECTED=9f2c...c1a # official sha256 for the pinned version
curl -fsSL -o tool.tar.gz https://example.com/tool-v1.2.3.tar.gz
echo "${EXPECTED} tool.tar.gz" | sha256sum -c -
tar xzf tool.tar.gzGotchas
- Pin both the version and the checksum; a floating "latest" URL defeats verification.
- Use
-fsSLon curl so an HTTP error does not produce a "valid" but empty file.
Related guides
How to Enforce Lockfile Integrity in CIEnforce exact, reproducible dependency installs in CI with npm ci and frozen-lockfile modes, so a mismatched…
How to Use a Private or Proxied Registry in CIRoute CI package installs through a private or proxied registry so builds pull vetted, cached artifacts from…