Skip to content

Verify kernel archive SHA-256 digests#1703

Open
haoruilee wants to merge 1 commit into
apple:mainfrom
haoruilee:feat/kernelintegrity
Open

Verify kernel archive SHA-256 digests#1703
haoruilee wants to merge 1 commit into
apple:mainfrom
haoruilee:feat/kernelintegrity

Conversation

@haoruilee

@haoruilee haoruilee commented Jun 12, 2026

Copy link
Copy Markdown

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Motivation and Context

Closes #1687

The default kernel archive is downloaded from a remote release URL during first-run setup and via container system kernel set --recommended. Previously, the archive contents were not verified
after download, so integrity depended only on HTTPS and the release artifact remaining unchanged.

This change adds Homebrew-style url + sha256 verification for kernel archives. The recommended/default kernel now has a pinned SHA-256 digest, and container system kernel set --tar accepts
--sha256 so custom local or remote tar archives can be verified before unpacking and installation.

Testing

  • Tested locally
  • Added/updated tests
  • Added/updated docs

Validated on macOS:

  • swift test --filter KernelServiceTests passed
  • swift test --filter ConfigurationLoaderTests passed
  • container system kernel set --tar <remote-url> --binary <path> --sha256 <digest> succeeded and containers ran successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Request]: Check kernel download integrity when downloading

1 participant

@haoruilee