fix: revert WASM artifact SHA256 checksums to null#627
Conversation
Reverts the checksums added in fe4c3c5. The baked-in checksums cause production failures when the host binary's WIT version doesn't match the artifacts at /releases/latest/ — WASM tools (web-search) and channels (telegram) fail with "matching implementation was not found in the linker". Setting sha256 back to null unblocks the runtime install path (ExtensionManager doesn't validate checksums) and allows the next release-plz run to publish matching host + artifact pairs. [skip-regression-check] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions
bot
added
size: S
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves a critical production issue affecting WASM-based tools and channels. The problem stemmed from mismatched WIT versions between the host binary and deployed artifacts, with baked-in SHA256 checksums blocking the runtime installation path. By temporarily reverting these checksums to null, the system can bypass validation, allowing for a subsequent release to publish compatible host and artifact pairs, thereby restoring functionality. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request reverts the SHA256 checksums for all WASM artifacts back to null as a hotfix for a production issue caused by a WIT version mismatch. While this change appears to force a build-from-source in the RegistryInstaller by triggering a MissingChecksum error, it introduces a significant security concern. By setting the checksum to null, a critical integrity check is disabled. My review includes a critical security comment highlighting the risk of a Man-in-the-Middle (MITM) attack if any part of the system downloads and installs these artifacts without verification. This change should be treated as a temporary measure and reverted as soon as possible.
Note: Security Review has been skipped due to the limited scope of the PR.
| "wasm32-wasip2": { | ||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/discord-wasm32-wasip2.tar.gz", | ||
| "sha256": "27d83724c22cac2658c5f4e04dfe761206270e65d599e8f08cc8148c3d9bbe86" | ||
| "sha256": null |
There was a problem hiding this comment.
Setting the sha256 checksum to null disables integrity verification for downloaded artifacts. While the RegistryInstaller appears to handle this by falling back to a secure build-from-source, this change introduces a potential security risk if any other installation mechanism downloads from the URL without checksum validation. The pull request description's mention of an ExtensionManager that "doesn't validate checksums" suggests such a path might exist. An attacker could exploit this via a Man-in-the-Middle (MITM) attack to serve a malicious artifact. This change should be reverted and checksums restored as soon as the underlying WIT version mismatch is resolved in a new release.
There was a problem hiding this comment.
Pull request overview
This PR reverts precomputed SHA256 checksums in the extension registry manifests back to null for WASM tool/channel artifacts, intending to address a production breakage involving WIT version mismatches from releases/latest artifacts.
Changes:
- Set
artifacts.wasm32-wasip2.sha256tonullacross 14 registry manifests (tools + channels). - Leaves the
artifacts.wasm32-wasip2.urlpointing at GitHubreleases/latestdownloads.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| registry/tools/web-search.json | Set artifact sha256 to null |
| registry/tools/telegram.json | Set artifact sha256 to null |
| registry/tools/slack.json | Set artifact sha256 to null |
| registry/tools/google-slides.json | Set artifact sha256 to null |
| registry/tools/google-sheets.json | Set artifact sha256 to null |
| registry/tools/google-drive.json | Set artifact sha256 to null |
| registry/tools/google-docs.json | Set artifact sha256 to null |
| registry/tools/google-calendar.json | Set artifact sha256 to null |
| registry/tools/gmail.json | Set artifact sha256 to null |
| registry/tools/github.json | Set artifact sha256 to null |
| registry/channels/whatsapp.json | Set artifact sha256 to null |
| registry/channels/telegram.json | Set artifact sha256 to null |
| registry/channels/slack.json | Set artifact sha256 to null |
| registry/channels/discord.json | Set artifact sha256 to null |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -18,7 +18,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-slides-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this tool via ironclaw registry install google-slides / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-slides-wasm32-wasip2.tar.gz", | |
| "url": null, |
| @@ -19,7 +19,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-docs-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this tool via ironclaw registry install google-docs / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-docs-wasm32-wasip2.tar.gz", | |
| "url": null, |
| @@ -20,7 +20,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/github-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this tool via ironclaw registry install github / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/github-wasm32-wasip2.tar.gz", | |
| "url": null, |
| "wasm32-wasip2": { | ||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/telegram-mtproto-wasm32-wasip2.tar.gz", | ||
| "sha256": "1c3028052f680e2efa7d857d50bcb57dbc171ad197d2527875b9c3cd22f0c830" | ||
| "sha256": null |
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break ironclaw registry install telegram-mtproto / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "wasm32-wasip2": { | ||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/slack-tool-wasm32-wasip2.tar.gz", | ||
| "sha256": "600fdb6f25f42bd635d3cf28217778c780e781b780c7250a57bebcf889616209" | ||
| "sha256": null |
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break ironclaw registry install slack-tool / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| @@ -19,7 +19,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-drive-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this tool via ironclaw registry install google-drive / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-drive-wasm32-wasip2.tar.gz", | |
| "url": null, |
| @@ -19,7 +19,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-calendar-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this tool via ironclaw registry install google-calendar / setup flows unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/google-calendar-wasm32-wasip2.tar.gz", | |
| "url": null, |
| @@ -19,7 +19,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/whatsapp-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
With sha256: null and a non-null artifact url, RegistryInstaller::install_from_artifact() will error MissingChecksum and (in non-repo environments) won’t be able to fall back to building from source. This will break installs of this channel via ironclaw registry install channels/whatsapp and the setup wizard’s channel install step unless a repo checkout is present; either restore a correct checksum or avoid advertising the artifact URL when checksums aren’t available.
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/whatsapp-wasm32-wasip2.tar.gz", | |
| "url": null, |
| @@ -19,7 +19,7 @@ | |||
| "artifacts": { | |||
| "wasm32-wasip2": { | |||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/web-search-wasm32-wasip2.tar.gz", | |||
There was a problem hiding this comment.
Setting artifacts.wasm32-wasip2.sha256 to null while keeping a non-null url will make RegistryInstaller::install_from_artifact() fail with MissingChecksum (it requires a checksum before download). This breaks ironclaw registry install web-search and the setup wizard’s tool-install step in non-repo installs where source fallback isn’t available; either restore a correct SHA256 for the published artifact, or change the install strategy (e.g., don’t advertise an artifact URL when checksums aren’t provided).
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/web-search-wasm32-wasip2.tar.gz", | |
| "url": null, |
| "wasm32-wasip2": { | ||
| "url": "https://github.com/nearai/ironclaw/releases/latest/download/web-search-wasm32-wasip2.tar.gz", | ||
| "sha256": "8e62c9c3efaa90db92dbf421289cd9a8ba83a64613481d0f2bf9070f0403e801" | ||
| "sha256": null |
There was a problem hiding this comment.
PR description mentions checksum values blocking ExtensionManager::install(), but the ExtensionManager install path downloads by URL without using manifest sha256; sha256 is enforced by RegistryInstaller instead. If the goal is to fix runtime installs via ExtensionManager, this manifest change alone won’t affect that behavior—consider adjusting the artifact URL/versioning or the runtime install logic accordingly.
Reverts the checksums added in fe4c3c5. The baked-in checksums cause production failures when the host binary's WIT version doesn't match the artifacts at /releases/latest/ — WASM tools (web-search) and channels (telegram) fail with "matching implementation was not found in the linker". Setting sha256 back to null unblocks the runtime install path (ExtensionManager doesn't validate checksums) and allows the next release-plz run to publish matching host + artifact pairs. [skip-regression-check] Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reverts the checksums added in cad98e9. The baked-in checksums cause production failures when the host binary's WIT version doesn't match the artifacts at /releases/latest/ — WASM tools (web-search) and channels (telegram) fail with "matching implementation was not found in the linker". Setting sha256 back to null unblocks the runtime install path (ExtensionManager doesn't validate checksums) and allows the next release-plz run to publish matching host + artifact pairs. [skip-regression-check] Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
nullacross all 14 registry JSON filesweb-search) and channels (telegram) fail with WIT version mismatch:component imports instance 'near:agent/host@0.2.0', but a matching implementation was not found in the linkerRoot cause
The baked-in checksums block the runtime install path when the host binary's WIT doesn't match the artifacts at
/releases/latest/. Setting sha256 to null unblocksExtensionManager::install()(which doesn't validate checksums) and allows the next release-plz run to publish matching host + artifact pairs.Test plan
cargo test registry— 113 passed, 0 failed/releases/latest/matches new binary🤖 Generated with Claude Code