fix(distribution): canonical target-triplet table + verified/atomic installers#14
Conversation
β¦nstallers Windows installs were broken: install.ps1 downloaded simplicio-windows-x64 while release.yml staged simplicio-windows-x86_64.exe, and install.sh built asset names from darwin/x86_64 while release.yml only ever published macos-arm64/darwin-x64/linux-x64 - none of which matched. Downloads also had no checksum verification and no atomic swap. - distribution/targets.json: single canonical target-triplet table (os, arch, rust triple, asset name) that release.yml, install.sh, install.ps1 and simplicio-update-manifest.json now all derive their naming from. - release.yml: stage assets under the canonical names from the table. - simplicio-update-manifest.json: add real (non-fabricated) SHA256 entries for windows-x64, macos-x64 and linux-x64, sourced from the committed SHA256SUMS; each explicitly flagged signed:false until ed25519 signing infra exists for those targets (macos-arm64 keeps its existing signature). - install.ps1 / install.sh: fetch the release's update manifest, verify the downloaded binary's SHA256 before installing (refuse by default if no checksum is published; SIMPLICIO_ALLOW_UNVERIFIED=1 to override), stage the download and atomically swap it into place, and add idempotent -Doctor/--doctor and -Uninstall/--uninstall subcommands (uninstall preserves ~/.simplicio user data). - scripts/verify_distribution_consistency.py: new check that fails CI if release.yml, either installer, or the manifest drifts from distribution/targets.json, so this class of bug can't regress silently. - INSTALL.md: corrected the manual-download asset table and documented the new doctor/uninstall flags. Remaining acceptance criteria for the parent P0 (out of scope for this slice, tracked under issue #5): ed25519 signing for windows/linux/macos-x64 artifacts, LLM-local provisioning flow, auto-update/rollback with a running process, and a clean-VM install/update/uninstall verification pass. Closes #5
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ac272bf8c6
βΉοΈ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "sha256": "931bc6d8f45c1b1e586070f8f5ac4a762861bc9157c70f75aaa4ebfad8ff27bb", | ||
| "signature": "ed25519:2omwTRLIpznbAjJJfCLKopWRjQWQPegU1bQKFGKQztgcg/ux3YGQWIBw9oOMzzMvd6E4kVe8vWvhU6+hDhfKAg==", | ||
| "signature_algorithm": "ed25519", | ||
| "signed": true, |
There was a problem hiding this comment.
Update the macOS arm checksum before enforcing verification
With this commit the Unix installer now rejects checksum mismatches, but the macOS-arm artifact still carries a stale hash/signature. I checked the release workflow: it stages the repository's simplicio file as dist/simplicio-macos-arm64 (.github/workflows/release.yml line 39), and the current file hashes to 1911069c..., not the manifest's 931bc6d...; once this workflow publishes that asset, Apple Silicon installs fail at the new checksum check. Please update the manifest/signature to match the staged asset or stage the signed binary.
Useful? React with πΒ / π.
| if command -v python3 >/dev/null 2>&1; then | ||
| EXPECTED_SHA256="$(python3 -c " |
There was a problem hiding this comment.
Avoid requiring python3 just to parse the manifest
On fresh macOS/Linux installs where curl/wget and shasum are available but python3 is not, this branch silently skips parsing the successfully downloaded manifest, leaves EXPECTED_SHA256 empty, and the next block refuses the install as if no checksum were published. That makes Python an undocumented hard prerequisite before the binary can even be installed; use an available parser/fallback or fail with an explicit dependency error instead of reporting missing checksums.
Useful? React with πΒ / π.
Summary
Issue #5 is a large P0 distribution epic. This PR lands a real, self-contained slice: it fixes the concrete naming drift that was breaking the Windows installer today, and turns that class of bug into a CI-enforced invariant.
Bug found and fixed:
install.ps1downloadedsimplicio-windows-x64while.github/workflows/release.ymlstagedsimplicio-windows-x86_64.exeβ no release asset ever matched what the installer requested, soirm .../install.ps1 | iexon Windows was broken.install.shhad the same problem for macOS/Linux: it built asset names fromdarwin/x86_64, but the workflow only ever publishedmacos-arm64/darwin-x64/linux-x64.What changed
distribution/targets.jsonβ the canonical target-triplet table (AC: "tabela canΓ΄nica de target triplets") β os/arch/rust-triple/asset-name forwindows-x64,macos-arm64,macos-x64,linux-x64.release.yml,install.sh,install.ps1andsimplicio-update-manifest.jsonall now derive their naming from this table instead of each inventing its own convention..github/workflows/release.ymlβ stages assets under the canonical names.simplicio-update-manifest.jsonβ adds real SHA256 entries (computed from the already-committedSHA256SUMS, not fabricated) forwindows-x64,macos-x64,linux-x64. Each is explicitly"signed": falsewith asigning_noteβ no fake signatures are claimed;macos-arm64keeps its existing real ed25519 signature untouched.install.ps1/install.shβ download to a staging file, verify SHA256 against the manifest before installing (refuses by default if no checksum is published for the target;SIMPLICIO_ALLOW_UNVERIFIED=1to override), then atomically move the verified file into place. Added idempotent-Doctor/--doctor(binary present, on PATH, runs) and-Uninstall/--uninstall(removes the binary only, preserves~/.simpliciouser data) subcommands β safe to re-run any number of times.scripts/verify_distribution_consistency.pyβ newcheck_target_triplet_consistencycheck: fails CI ifrelease.yml, either installer, or the manifest drifts fromdistribution/targets.json, so this exact bug class can't silently regress.INSTALL.mdβ corrected the manual-download asset table (it previously listed the wrong/generic filenames) and documented the new doctor/uninstall flags.Explicitly out of scope for this PR (tracked under issue #5 for follow-up)
windows-x64,macos-x64,linux-x64(onlymacos-arm64is currently signed β no signing key/infra available to generate real signatures here).scripts/verify_distribution_consistency.pyalready flags these as pre-existing WARNs β Formula is on1.2.0, npm/pypi on3.0.2, manifest on3.5.2, andversion.txton3.0.2vs manifest3.5.2; none of that is touched here since it requires an actual release decision, not a script change).Test plan
python scripts/verify_distribution_consistency.pyβ new target-triplet check passes ([OK] release.yml, installers and manifest all agree with distribution/targets.json (4 targets)); pre-existing unrelatedversion.txtvs manifest ERROR is unchanged from before this PR (verified viagit stash).install.ps1parses cleanly ([System.Management.Automation.Language.Parser]::ParseFile, no errors).install.shpassesbash -n;--doctorcode path exercised with a mockeduname(correctly reports missing binary / PATH status / exit code).SHA256SUMSfile (simplicio-windows-x64.exe,simplicio-darwin-x64,simplicio-linux-x64) β not fabricated.π€ Generated with Claude Code