Content integrity hashing in lockfile (SHA-256) #315
Description
Summary
Add content integrity verification by storing SHA-256 checksums of downloaded package content in apm.lock.yaml. Verify checksums on subsequent installs to detect tampering or MITM modifications.
Background
Identified during the security assessment for #313 (content security scanner). APM currently stores resolved_commit (git SHA) in the lockfile but does not verify that the downloaded file content matches any expected hash. A network-level attacker, compromised proxy, or force-pushed commit could serve different content for the same SHA.
For comparison, npm stores integrity hashes (SHA-512) in package-lock.json and verifies every download against them.
Proposed behavior
- During
apm install, after downloading a package, compute SHA-256 of the package's file tree (deterministic hash of all file contents) - Store the hash in
apm.lock.yamlalongsideresolved_commit:dependencies: - repo_url: "https://github.com/owner/repo" resolved_commit: "abc123..." content_hash: "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
- On subsequent installs from cache, verify the hash matches. On mismatch, warn and re-download.
Considerations
- Hash should be computed over file contents (not metadata like timestamps) for reproducibility
- Performance: SHA-256 is fast — even large packages (10MB) hash in ~10ms
- Backward compatibility: missing
content_hash(older lockfiles) should not block install
Priority
P0 — highest impact security improvement available per the security panel assessment.
Related
- feat: add content security scanning and
apm auditcommand #313 — Content security scanner (PR) - Content security scanning for prompt files (hidden Unicode detection) #312 — Content security scanner (issue)