feat(foundryup): avoid unnecessary downloads and verify hashes of downloaded binaries upon install

[zerosnacks]

Motivation

Closes: #10755
Closes: #9519

• Book PR: feat: update copy of installation note on verification / integrity check of binaries book#1591

Adds notice prompt to update the foundryup installation when running foundryup.

Solution

With the release workflow we now generate attestation artifact links alongside the release: nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3

We downloads the attestation artifact .txt based on the architecture. If an attestation artifact .txt is found in the release we continue and extract the link from the text file. This link points to the actual attestation artifact (.sigstore). We download this artifact and extract the base64 encoded payload from it, this contains the SHA256 hashes. We store these hashes in a global HASH_NAMES / HASH_VALUES arrays that we can access later by lookup.

Next we check the SHA256 sum of the current binaries of the version to install against the hashes of the verification artifact (so not necessarily the one activated but rather the binaries stored in ~/.foundry/versions/). If these two do not match we can assume the local version is out of date and we need to download the binaries. If there is an exact match we know they are up to date and we can exit early, preventing an unnecessary download. Previously we would always download the binaries no matter what.

Finally, once the binaries are downloaded, we match the newly downloaded binaries against the earlier stored HASH_NAMES / HASH_VALUES. This should always match exactly, if it does not there is a potential security issue as the user is installing a version that is different than the one produced by the release workflow.

Includes a -f / --force flag to skip verification and force fresh install

Because we versioned foundryup we can inform the user their installation is out of date by matching it against the version of the current version on master

You can test the functionality by changing FOUNDRYUP_INSTALLER_VERSION="1.3.0" to FOUNDRYUP_INSTALLER_VERSION="1.0.0" in the PR. If the version of the installer is greater than the one on master we proceed without informing.

Steps to test

git clone && git checkout grandizzy/attestation-url

./foundryup/foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3

this tests the verification flow, next rerun:

./foundryup/foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3

this tests the early exit on exact hash match

./foundryup/foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 --force

this tests the force skipping of verification

Optional:

Change FOUNDRYUP_INSTALLER_VERSION="1.3.0" to FOUNDRYUP_INSTALLER_VERSION="1.0.0" in ./foundrup/foundryup, rerun the steps above. You will see being prompted to update your installer.

Note

• Previously we used HASHES[bin] with declare -A, this is not compatible with MacOS.

To do

• Check compatibility on default MacOS install
• Check compatibility on Windows and find exact equivalents
• Test case of mismatching hashes, an error should be thrown - maybe we can request the user to report this? (tested with current nightly which has attestation files from test)

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes

[zerosnacks]

Install stable, does not have attestation files linked in its release:

foundryup -i stable


.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

 ╔═╗ ╔═╗ ╦ ╦ ╔╗╔ ╔╦╗ ╦═╗ ╦ ╦         Portable and modular toolkit
 ╠╣  ║ ║ ║ ║ ║║║  ║║ ╠╦╝ ╚╦╝    for Ethereum Application Development
 ╚   ╚═╝ ╚═╝ ╝╚╝ ═╩╝ ╩╚═  ╩                 written in Rust.

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

Repo       : https://github.com/foundry-rs/foundry
Book       : https://book.getfoundry.sh/
Chat       : https://t.me/foundry_rs/
Support    : https://t.me/foundry_support/
Contribute : https://github.com/foundry-rs/foundry/blob/master/CONTRIBUTING.md

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

foundryup: installing foundry (version stable, tag stable)
foundryup: checking if forge, cast, anvil, and chisel for stable version are already installed
################################################################################################################# 100.0%
foundryup: no attestation found for this release, skipping SHA verification
foundryup: binaries not found or do not match expected hashes, downloading new binaries
foundryup: downloading forge, cast, anvil, and chisel for stable version
################################################################################################################# 100.0%
forge
cast
anvil
chisel
foundryup: downloading manpages
################################################################################################################# 100.0%
foundryup: no attestation found for these binaries, skipping SHA verification for downloaded binaries
foundryup: use - forge 1.2.3-stable (a813a2cee7 2025-06-08T15:42:40.147013149Z)
foundryup: use - cast 1.2.3-stable (a813a2cee7 2025-06-08T15:42:40.147013149Z)
foundryup: use - anvil 1.2.3-stable (a813a2cee7 2025-06-08T15:42:40.147013149Z)
foundryup: use - chisel 1.2.3-stable (a813a2cee7 2025-06-08T15:42:40.147013149Z)

Install nightly, this one has attestation artifacts linked:

foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3


.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

 ╔═╗ ╔═╗ ╦ ╦ ╔╗╔ ╔╦╗ ╦═╗ ╦ ╦         Portable and modular toolkit
 ╠╣  ║ ║ ║ ║ ║║║  ║║ ╠╦╝ ╚╦╝    for Ethereum Application Development
 ╚   ╚═╝ ╚═╝ ╝╚╝ ═╩╝ ╩╚═  ╩                 written in Rust.

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

Repo       : https://github.com/foundry-rs/foundry
Book       : https://book.getfoundry.sh/
Chat       : https://t.me/foundry_rs/
Support    : https://t.me/foundry_support/
Contribute : https://github.com/foundry-rs/foundry/blob/master/CONTRIBUTING.md

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

foundryup: installing foundry (version nightly, tag nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3)
foundryup: checking if forge, cast, anvil, and chisel for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version are already installed
####################################################################################################################################################################### 100.0%
foundryup: found attestation for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version, downloading attestation artifact, checking...
####################################################################################################################################################################### 100.0%
foundryup: binaries not found or do not match expected hashes, downloading new binaries
foundryup: downloading forge, cast, anvil, and chisel for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version
####################################################################################################################################################################### 100.0%
forge
cast
anvil
chisel
foundryup: downloading manpages
####################################################################################################################################################################### 100.0%
foundryup: verifying downloaded binaries against the attestation file
foundryup: forge verified ✓
foundryup: cast verified ✓
foundryup: anvil verified ✓
foundryup: chisel verified ✓
foundryup: use - forge 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - cast 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - anvil 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - chisel 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)

Install nightly again:

foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3


.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

 ╔═╗ ╔═╗ ╦ ╦ ╔╗╔ ╔╦╗ ╦═╗ ╦ ╦         Portable and modular toolkit
 ╠╣  ║ ║ ║ ║ ║║║  ║║ ╠╦╝ ╚╦╝    for Ethereum Application Development
 ╚   ╚═╝ ╚═╝ ╝╚╝ ═╩╝ ╩╚═  ╩                 written in Rust.

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

Repo       : https://github.com/foundry-rs/foundry
Book       : https://book.getfoundry.sh/
Chat       : https://t.me/foundry_rs/
Support    : https://t.me/foundry_support/
Contribute : https://github.com/foundry-rs/foundry/blob/master/CONTRIBUTING.md

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

foundryup: installing foundry (version nightly, tag nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3)
foundryup: checking if forge, cast, anvil, and chisel for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version are already installed
####################################################################################################################################################################### 100.0%
foundryup: found attestation for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version, downloading attestation artifact, checking...
####################################################################################################################################################################### 100.0%
foundryup: version nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 already installed and verified, activating...
foundryup: use - forge 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - cast 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - anvil 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - chisel 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)

Install nightly with --force:

foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 --force


.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

 ╔═╗ ╔═╗ ╦ ╦ ╔╗╔ ╔╦╗ ╦═╗ ╦ ╦         Portable and modular toolkit
 ╠╣  ║ ║ ║ ║ ║║║  ║║ ╠╦╝ ╚╦╝    for Ethereum Application Development
 ╚   ╚═╝ ╚═╝ ╝╚╝ ═╩╝ ╩╚═  ╩                 written in Rust.

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

Repo       : https://github.com/foundry-rs/foundry
Book       : https://book.getfoundry.sh/
Chat       : https://t.me/foundry_rs/
Support    : https://t.me/foundry_support/
Contribute : https://github.com/foundry-rs/foundry/blob/master/CONTRIBUTING.md

.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx.xOx

foundryup: installing foundry (version nightly, tag nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3)
foundryup: downloading forge, cast, anvil, and chisel for nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 version
####################################################################################################################################################################### 100.0%
forge
cast
anvil
chisel
foundryup: downloading manpages
####################################################################################################################################################################### 100.0%
foundryup: skipped SHA verification for downloaded binaries due to --force flag
foundryup: use - forge 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - cast 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - anvil 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)
foundryup: use - chisel 1.2.3-nightly (e0d3e2a842 2025-07-02T10:58:11.775748718Z)

[grandizzy]

Some scenarios to consider

• for backwards compatibility, if attestation file doesn't exist then ignore verification
• maybe add a force flag to ignore any validation
• versions could be installed but not actively used (like v1.0.0 is installed locally but stable is the current one), so probably we should compare with binaries within versions dir

[zerosnacks]

Good call!

• for backwards compatibility, if attestation file doesn't exist then ignore verification

This is currently the case, see stable example above - we skip the verification step if the attestation file in not available

• maybe add a force flag to ignore any validation

Done, I did make it so that -f / --force forces a fresh install without verification. I think this matches the expectation of a --force flag. We also can't avoid a fresh install because we don't have attestation artifacts to match against.

• versions could be installed but not actively used (like v1.0.0 is installed locally but stable is the current one), so probably we should compare with binaries within versions dir

This is currently the case, we look now in the versions directory for a matching tag. So instead of matching against /home/zerosnacks/.foundry/bin/forge we match against /home/zerosnacks/.foundry/versions/<TAG>/forge and we activate w/ use if there is a match.

[grandizzy]

all good tested on Win

• installing nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 (foundryup -i nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3) proper validates and avoids downloading binaries on subsequent runs - expected
• installing stable (foundryup) succeed (no attestation files present) - expected
• installing nightly (foundryup -i nightly) fails (wrong attestation files kept from nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3 but newer binaries built) - expected

[0xrusowsky]

the logic makes sense to me.

as a side note though, despite docs are probably more suited than the actual implementation, imo it is worth explicitly stating the security risks of running with the --force flag

[grandizzy]

the logic makes sense to me.

as a side note though, despite docs are probably more suited than the actual implementation, imo it is worth explicitly stating the security risks of running with the --force flag

good point, yeah, docs should explicitly say that running with --force is discouraged and that verify does not mean people should skip their own due diligence

[zerosnacks]

the logic makes sense to me.

as a side note though, despite docs are probably more suited than the actual implementation, imo it is worth explicitly stating the security risks of running with the --force flag

I've updated the documentation in the book here: https://76c73263.foundry-book.pages.dev/introduction/installation#verifying-the-integrity-and-provenance-of-binaries that points out you can at any time manually verify the integrity of the binary as well (this shows valid matches for all releases going back to the point where this was introduced).

--force effectively is what users have been doing until now and the same assumptions hold - it also double serves as an escape hatch in case for any reason the verification does not work (Github down, issues w/ specific architecture / OS, etc..).

I think once we are sure --force is only used in exceptional cases we can clarify the security issue with skipping the verification step more but open to clarifying / updating the current docs in the book

[zerosnacks]

• Retested on Linux / MacOS

(CI failures are unrelated)

[0xrusowsky]

this looks great! i think people will love it 🙏

[mattsse]

not a bash expert, so if this works, makes sense