Add toolchain package verification @osterman (#2415)
## what- Adds
pkg/toolchain/verificationfor Aqua-compatible checksum, signature, and attestation verification before tool extraction. - Preserves Aqua verification metadata across registry parsing, overrides, version overrides, installer flow, and lockfile metadata.
- Adds toolchain verification policy config, docs, roadmap entry, and changelog post.
why
- Prevents tampered or mismatched toolchain package assets from being installed when registry metadata provides verification data.
- Keeps the default behavior non-breaking while allowing stricter checksum and signature requirements for CI and regulated environments.
references
- Tested with
go test ./pkg/toolchain/installer ./pkg/toolchain/... ./cmd/toolchain/... - Linted with
scripts/run-custom-golangci-lint.sh
Summary by CodeRabbit
-
New Features
- Toolchain now verifies downloaded packages (checksums and signatures/attestations) before extraction when registry metadata is present.
- Multiple verification methods supported (checksums, cosign, SLSA provenance, minisign, GitHub attestations); verifier install mode configurable (auto or path-only).
- Verification results and metadata are recorded in the toolchain lockfile; lockfile path is configurable.
-
Bug Fixes
- Cached assets validated against recorded source URL; mismatched or tampered cached files are re-downloaded or removed; lockfile not updated when extraction fails.
-
Documentation
- Added docs, examples, and a blog post explaining package verification and configuration.