Skip to content

fix(distribution): canonical target-triplet table + verified/atomic installers#14

Merged
wesleysimplicio merged 1 commit into
masterfrom
fix/issue-5
Jul 14, 2026
Merged

fix(distribution): canonical target-triplet table + verified/atomic installers#14
wesleysimplicio merged 1 commit into
masterfrom
fix/issue-5

Conversation

@wesleysimplicio

Copy link
Copy Markdown
Owner

Summary

Issue #5 is a large P0 distribution epic. This PR lands a real, self-contained slice: it fixes the concrete naming drift that was breaking the Windows installer today, and turns that class of bug into a CI-enforced invariant.

Bug found and fixed: install.ps1 downloaded simplicio-windows-x64 while .github/workflows/release.yml staged simplicio-windows-x86_64.exe β€” no release asset ever matched what the installer requested, so irm .../install.ps1 | iex on Windows was broken. install.sh had the same problem for macOS/Linux: it built asset names from darwin/x86_64, but the workflow only ever published macos-arm64/darwin-x64/linux-x64.

What changed

  • distribution/targets.json β€” the canonical target-triplet table (AC: "tabela canΓ΄nica de target triplets") β€” os/arch/rust-triple/asset-name for windows-x64, macos-arm64, macos-x64, linux-x64. release.yml, install.sh, install.ps1 and simplicio-update-manifest.json all now derive their naming from this table instead of each inventing its own convention.
  • .github/workflows/release.yml β€” stages assets under the canonical names.
  • simplicio-update-manifest.json β€” adds real SHA256 entries (computed from the already-committed SHA256SUMS, not fabricated) for windows-x64, macos-x64, linux-x64. Each is explicitly "signed": false with a signing_note β€” no fake signatures are claimed; macos-arm64 keeps its existing real ed25519 signature untouched.
  • install.ps1 / install.sh β€” download to a staging file, verify SHA256 against the manifest before installing (refuses by default if no checksum is published for the target; SIMPLICIO_ALLOW_UNVERIFIED=1 to override), then atomically move the verified file into place. Added idempotent -Doctor/--doctor (binary present, on PATH, runs) and -Uninstall/--uninstall (removes the binary only, preserves ~/.simplicio user data) subcommands β€” safe to re-run any number of times.
  • scripts/verify_distribution_consistency.py β€” new check_target_triplet_consistency check: fails CI if release.yml, either installer, or the manifest drifts from distribution/targets.json, so this exact bug class can't silently regress.
  • INSTALL.md β€” corrected the manual-download asset table (it previously listed the wrong/generic filenames) and documented the new doctor/uninstall flags.

Explicitly out of scope for this PR (tracked under issue #5 for follow-up)

  • ed25519 signing for windows-x64, macos-x64, linux-x64 (only macos-arm64 is currently signed β€” no signing key/infra available to generate real signatures here).
  • Local LLM provisioning flow (verified/licensable).
  • Auto-update + rollback with a running process.
  • Full Homebrew/npm/pypi wrapper version alignment (scripts/verify_distribution_consistency.py already flags these as pre-existing WARNs β€” Formula is on 1.2.0, npm/pypi on 3.0.2, manifest on 3.5.2, and version.txt on 3.0.2 vs manifest 3.5.2; none of that is touched here since it requires an actual release decision, not a script change).
  • Clean-Windows-VM install/update/uninstall verification pass with screenshots (needs a real VM, not available in this environment).

Test plan

  • python scripts/verify_distribution_consistency.py β€” new target-triplet check passes ([OK] release.yml, installers and manifest all agree with distribution/targets.json (4 targets)); pre-existing unrelated version.txt vs manifest ERROR is unchanged from before this PR (verified via git stash).
  • install.ps1 parses cleanly ([System.Management.Automation.Language.Parser]::ParseFile, no errors).
  • install.sh passes bash -n; --doctor code path exercised with a mocked uname (correctly reports missing binary / PATH status / exit code).
  • SHA256 values added to the manifest were computed directly from the committed binaries and cross-checked against the existing SHA256SUMS file (simplicio-windows-x64.exe, simplicio-darwin-x64, simplicio-linux-x64) β€” not fabricated.
  • Real end-to-end install on a clean Windows/macOS/Linux VM (needs an actual release + VM; not exercised here).

πŸ€– Generated with Claude Code

…nstallers

Windows installs were broken: install.ps1 downloaded simplicio-windows-x64
while release.yml staged simplicio-windows-x86_64.exe, and install.sh built
asset names from darwin/x86_64 while release.yml only ever published
macos-arm64/darwin-x64/linux-x64 - none of which matched. Downloads also had
no checksum verification and no atomic swap.

- distribution/targets.json: single canonical target-triplet table (os,
  arch, rust triple, asset name) that release.yml, install.sh, install.ps1
  and simplicio-update-manifest.json now all derive their naming from.
- release.yml: stage assets under the canonical names from the table.
- simplicio-update-manifest.json: add real (non-fabricated) SHA256 entries
  for windows-x64, macos-x64 and linux-x64, sourced from the committed
  SHA256SUMS; each explicitly flagged signed:false until ed25519 signing
  infra exists for those targets (macos-arm64 keeps its existing signature).
- install.ps1 / install.sh: fetch the release's update manifest, verify the
  downloaded binary's SHA256 before installing (refuse by default if no
  checksum is published; SIMPLICIO_ALLOW_UNVERIFIED=1 to override), stage
  the download and atomically swap it into place, and add idempotent
  -Doctor/--doctor and -Uninstall/--uninstall subcommands (uninstall
  preserves ~/.simplicio user data).
- scripts/verify_distribution_consistency.py: new check that fails CI if
  release.yml, either installer, or the manifest drifts from
  distribution/targets.json, so this class of bug can't regress silently.
- INSTALL.md: corrected the manual-download asset table and documented the
  new doctor/uninstall flags.

Remaining acceptance criteria for the parent P0 (out of scope for this
slice, tracked under issue #5): ed25519 signing for windows/linux/macos-x64
artifacts, LLM-local provisioning flow, auto-update/rollback with a running
process, and a clean-VM install/update/uninstall verification pass.

Closes #5
@wesleysimplicio
wesleysimplicio merged commit ac6d001 into master Jul 14, 2026
0 of 12 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac272bf8c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with πŸ‘.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines 20 to +23
"sha256": "931bc6d8f45c1b1e586070f8f5ac4a762861bc9157c70f75aaa4ebfad8ff27bb",
"signature": "ed25519:2omwTRLIpznbAjJJfCLKopWRjQWQPegU1bQKFGKQztgcg/ux3YGQWIBw9oOMzzMvd6E4kVe8vWvhU6+hDhfKAg==",
"signature_algorithm": "ed25519",
"signed": true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Update the macOS arm checksum before enforcing verification

With this commit the Unix installer now rejects checksum mismatches, but the macOS-arm artifact still carries a stale hash/signature. I checked the release workflow: it stages the repository's simplicio file as dist/simplicio-macos-arm64 (.github/workflows/release.yml line 39), and the current file hashes to 1911069c..., not the manifest's 931bc6d...; once this workflow publishes that asset, Apple Silicon installs fail at the new checksum check. Please update the manifest/signature to match the staged asset or stage the signed binary.

Useful? React with πŸ‘Β / πŸ‘Ž.

Comment thread install.sh
Comment on lines +174 to +175
if command -v python3 >/dev/null 2>&1; then
EXPECTED_SHA256="$(python3 -c "

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid requiring python3 just to parse the manifest

On fresh macOS/Linux installs where curl/wget and shasum are available but python3 is not, this branch silently skips parsing the successfully downloaded manifest, leaves EXPECTED_SHA256 empty, and the next block refuses the install as if no checksum were published. That makes Python an undocumented hard prerequisite before the binary can even be installed; use an available parser/fallback or fail with an explicit dependency error instead of reporting missing checksums.

Useful? React with πŸ‘Β / πŸ‘Ž.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant