From 12e9013572c0d36a79c11c016c1824dff577ac7d Mon Sep 17 00:00:00 2001
From: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com>
Date: Wed, 11 Feb 2026 16:13:17 -0800
Subject: [PATCH] Add extra checks for OptionalResourceService

---
 app/OptionalResourceService.main.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/OptionalResourceService.main.ts b/app/OptionalResourceService.main.ts
index aa53a42024..0b4236029c 100644
--- a/app/OptionalResourceService.main.ts
+++ b/app/OptionalResourceService.main.ts
@@ -77,7 +77,7 @@ export class OptionalResourceService {
           timingSafeEqual(digest, Buffer.from(decl.digest, 'base64')) &&
           onDisk.length === decl.size
         ) {
-          log.warn(`loaded ${name} from disk`);
+          log.info(`loaded ${name} from disk`);
           this.#cache.set(name, onDisk);
           return onDisk;
         }
@@ -175,6 +175,16 @@ export class OptionalResourceService {
   ): Promise<Buffer> {
     const result = await got(decl.url, await getGotOptions()).buffer();
 
+    const digest = createHash('sha512').update(result).digest();
+
+    // Same digest and size
+    if (
+      !timingSafeEqual(digest, Buffer.from(decl.digest, 'base64')) ||
+      result.length !== decl.size
+    ) {
+      throw new Error(`Invalid remote resource for ${name}`);
+    }
+
     this.#cache.set(name, result);
 
     try {