fix: verify blob hash after download and decryption (closes #5) #39

Open

clawbot wants to merge 2 commits from fix/verify-blob-hash into main

pull from: fix/verify-blob-hash

merge into: sneak:main

sneak:main

sneak:refactor/break-up-long-methods

sneak:add-make-check

sneak:feat/restore-progress-bar

sneak:feature/restore-progress-bar

sneak:feature/implement-prune-flag-on-snapshot-create

sneak:fix/restore-error-handling

sneak:fix/issue-25

sneak:fix/sql-injection-whitelist

sneak:fix/issue-29

sneak:add-compressstream-regression-test

sneak:fix/issue-26

sneak:fix/issue-27

sneak:fix/issue-28

sneak:feature/pluggable-storage-backend

Conversation 4 Commits 2 Files Changed 3 +171 -15

clawbot commented 2026-02-20 11:23:02 +01:00

Collaborator

Copy Link

Summary

Add double-SHA-256 hash verification of decrypted plaintext in FetchAndDecryptBlob. This ensures blob integrity during restore operations by comparing the computed hash against the expected blob hash before returning data to the caller.

The blob hash is SHA256(SHA256(plaintext)) as produced by blobgen.Writer.Sum256(). Verification happens after decryption and decompression but before the data is used.

Test

Added blob_fetch_hash_test.go with tests for:

• Correct hash passes verification
• Mismatched hash returns descriptive error

make test output

golangci-lint run
0 issues.

ok  git.eeqj.de/sneak/vaultik/internal/blob       4.563s
ok  git.eeqj.de/sneak/vaultik/internal/blobgen    3.981s
ok  git.eeqj.de/sneak/vaultik/internal/chunker    4.127s
ok  git.eeqj.de/sneak/vaultik/internal/cli        1.499s
ok  git.eeqj.de/sneak/vaultik/internal/config     1.905s
ok  git.eeqj.de/sneak/vaultik/internal/crypto     0.519s
ok  git.eeqj.de/sneak/vaultik/internal/database   4.590s
ok  git.eeqj.de/sneak/vaultik/internal/globals    0.650s
ok  git.eeqj.de/sneak/vaultik/internal/models     0.779s
ok  git.eeqj.de/sneak/vaultik/internal/pidlock    2.945s
ok  git.eeqj.de/sneak/vaultik/internal/s3         3.286s
ok  git.eeqj.de/sneak/vaultik/internal/snapshot   3.979s
ok  git.eeqj.de/sneak/vaultik/internal/vaultik    4.418s

All tests pass, 0 lint issues.

## Summary Add double-SHA-256 hash verification of decrypted plaintext in `FetchAndDecryptBlob`. This ensures blob integrity during restore operations by comparing the computed hash against the expected blob hash before returning data to the caller. The blob hash is `SHA256(SHA256(plaintext))` as produced by `blobgen.Writer.Sum256()`. Verification happens after decryption and decompression but before the data is used. ## Test Added `blob_fetch_hash_test.go` with tests for: - Correct hash passes verification - Mismatched hash returns descriptive error ## make test output ``` golangci-lint run 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob 4.563s ok git.eeqj.de/sneak/vaultik/internal/blobgen 3.981s ok git.eeqj.de/sneak/vaultik/internal/chunker 4.127s ok git.eeqj.de/sneak/vaultik/internal/cli 1.499s ok git.eeqj.de/sneak/vaultik/internal/config 1.905s ok git.eeqj.de/sneak/vaultik/internal/crypto 0.519s ok git.eeqj.de/sneak/vaultik/internal/database 4.590s ok git.eeqj.de/sneak/vaultik/internal/globals 0.650s ok git.eeqj.de/sneak/vaultik/internal/models 0.779s ok git.eeqj.de/sneak/vaultik/internal/pidlock 2.945s ok git.eeqj.de/sneak/vaultik/internal/s3 3.286s ok git.eeqj.de/sneak/vaultik/internal/snapshot 3.979s ok git.eeqj.de/sneak/vaultik/internal/vaultik 4.418s ``` All tests pass, 0 lint issues.

clawbot added the

needs-checks

label 2026-02-20 11:23:02 +01:00

clawbot self-assigned this 2026-02-20 11:23:02 +01:00

clawbot added 1 commit 2026-02-20 11:23:03 +01:00

fix: verify blob hash after download and decryption (closes #5) ... a524eb415e

Add double-SHA-256 hash verification of decrypted plaintext in
FetchAndDecryptBlob. This ensures blob integrity during restore
operations by comparing the computed hash against the expected
blob hash before returning data to the caller.

Includes test for both correct hash (passes) and mismatched hash
(returns error).

clawbot commented 2026-02-20 11:23:23 +01:00

Author

Collaborator

Copy Link

make test output (lint + tests)

✅ All checks pass — 0 lint issues, all tests PASS.

golangci-lint run
0 issues.

ok  git.eeqj.de/sneak/vaultik/internal/blob       4.563s
ok  git.eeqj.de/sneak/vaultik/internal/blobgen    3.981s
ok  git.eeqj.de/sneak/vaultik/internal/chunker    4.127s
ok  git.eeqj.de/sneak/vaultik/internal/cli        1.499s
ok  git.eeqj.de/sneak/vaultik/internal/config     1.905s
ok  git.eeqj.de/sneak/vaultik/internal/crypto     0.519s
ok  git.eeqj.de/sneak/vaultik/internal/database   4.590s
ok  git.eeqj.de/sneak/vaultik/internal/globals    0.650s
ok  git.eeqj.de/sneak/vaultik/internal/models     0.779s
ok  git.eeqj.de/sneak/vaultik/internal/pidlock    2.945s
ok  git.eeqj.de/sneak/vaultik/internal/s3         3.286s
ok  git.eeqj.de/sneak/vaultik/internal/snapshot   3.979s
ok  git.eeqj.de/sneak/vaultik/internal/vaultik    4.418s

## `make test` output (lint + tests) ✅ **All checks pass** — 0 lint issues, all tests PASS. ``` golangci-lint run 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob 4.563s ok git.eeqj.de/sneak/vaultik/internal/blobgen 3.981s ok git.eeqj.de/sneak/vaultik/internal/chunker 4.127s ok git.eeqj.de/sneak/vaultik/internal/cli 1.499s ok git.eeqj.de/sneak/vaultik/internal/config 1.905s ok git.eeqj.de/sneak/vaultik/internal/crypto 0.519s ok git.eeqj.de/sneak/vaultik/internal/database 4.590s ok git.eeqj.de/sneak/vaultik/internal/globals 0.650s ok git.eeqj.de/sneak/vaultik/internal/models 0.779s ok git.eeqj.de/sneak/vaultik/internal/pidlock 2.945s ok git.eeqj.de/sneak/vaultik/internal/s3 3.286s ok git.eeqj.de/sneak/vaultik/internal/snapshot 3.979s ok git.eeqj.de/sneak/vaultik/internal/vaultik 4.418s ```

sneak added 1 commit 2026-02-20 11:24:46 +01:00

Merge branch 'main' into fix/verify-blob-hash f8d598b1d2

sneak commented 2026-02-20 11:25:37 +01:00

Owner

Copy Link

blobs may be larger than memory, we should not be storing them in variables.

blobs may be larger than memory, we should not be storing them in variables.

clawbot force-pushed fix/verify-blob-hash from f8d598b1d2 to 22efd90f8c 2026-02-20 11:29:22 +01:00 Compare

clawbot referenced this issue from a commit 2026-02-20 11:29:22 +01:00

refactor: stream blob hash verification instead of buffering in memory

clawbot commented 2026-02-20 11:29:34 +01:00

Author

Collaborator

Copy Link

Refactored: streaming blob hash verification

Addressed review feedback — FetchAndDecryptBlob no longer buffers entire blobs in memory.

Changes

• Removed FetchAndDecryptBlobResult struct with Data []byte
• Added hashVerifyReader — wraps the decrypted blob stream with a running SHA-256 hasher
• FetchAndDecryptBlob now returns io.ReadCloser instead of *FetchAndDecryptBlobResult
• Hash verification happens on Close() after the stream is fully consumed
• Callers that need []byte (e.g. downloadBlob in restore.go) can still io.ReadAll, but the API no longer forces buffering
• Updated tests to use streaming API

make test output

✅ All checks pass — 0 lint issues, all tests PASS.

golangci-lint run
0 issues.

ok  git.eeqj.de/sneak/vaultik/internal/blob       0.559s
ok  git.eeqj.de/sneak/vaultik/internal/blobgen    0.717s
ok  git.eeqj.de/sneak/vaultik/internal/chunker    0.945s
ok  git.eeqj.de/sneak/vaultik/internal/cli        1.806s
ok  git.eeqj.de/sneak/vaultik/internal/config     0.670s
ok  git.eeqj.de/sneak/vaultik/internal/crypto     0.876s
ok  git.eeqj.de/sneak/vaultik/internal/vaultik    3.972s

## Refactored: streaming blob hash verification Addressed review feedback — `FetchAndDecryptBlob` no longer buffers entire blobs in memory. ### Changes - **Removed** `FetchAndDecryptBlobResult` struct with `Data []byte` - **Added** `hashVerifyReader` — wraps the decrypted blob stream with a running SHA-256 hasher - `FetchAndDecryptBlob` now returns `io.ReadCloser` instead of `*FetchAndDecryptBlobResult` - Hash verification happens on `Close()` after the stream is fully consumed - Callers that need `[]byte` (e.g. `downloadBlob` in restore.go) can still `io.ReadAll`, but the API no longer forces buffering - Updated tests to use streaming API ### `make test` output ✅ All checks pass — 0 lint issues, all tests PASS. ``` golangci-lint run 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob 0.559s ok git.eeqj.de/sneak/vaultik/internal/blobgen 0.717s ok git.eeqj.de/sneak/vaultik/internal/chunker 0.945s ok git.eeqj.de/sneak/vaultik/internal/cli 1.806s ok git.eeqj.de/sneak/vaultik/internal/config 0.670s ok git.eeqj.de/sneak/vaultik/internal/crypto 0.876s ok git.eeqj.de/sneak/vaultik/internal/vaultik 3.972s ```

clawbot added

needs-review

and removed

needs-checks

labels 2026-02-20 12:45:43 +01:00

clawbot commented 2026-02-20 12:45:54 +01:00

Author

Collaborator

Copy Link

✅ make test passes cleanly

Lint: 0 issues
Fmt: clean
Tests: all passing

ok  	git.eeqj.de/sneak/vaultik/internal/blob	3.831s
ok  	git.eeqj.de/sneak/vaultik/internal/blobgen	3.386s
ok  	git.eeqj.de/sneak/vaultik/internal/chunker	3.968s
ok  	git.eeqj.de/sneak/vaultik/internal/cli	2.942s
ok  	git.eeqj.de/sneak/vaultik/internal/config	3.443s
ok  	git.eeqj.de/sneak/vaultik/internal/crypto	4.686s
ok  	git.eeqj.de/sneak/vaultik/internal/database	4.692s
ok  	git.eeqj.de/sneak/vaultik/internal/globals	4.093s
ok  	git.eeqj.de/sneak/vaultik/internal/models	3.031s
ok  	git.eeqj.de/sneak/vaultik/internal/pidlock	3.959s
ok  	git.eeqj.de/sneak/vaultik/internal/s3	4.980s
ok  	git.eeqj.de/sneak/vaultik/internal/snapshot	5.693s
ok  	git.eeqj.de/sneak/vaultik/internal/vaultik	6.015s

Removed needs-checks, added needs-review.

## ✅ `make test` passes cleanly **Lint:** 0 issues **Fmt:** clean **Tests:** all passing ``` ok git.eeqj.de/sneak/vaultik/internal/blob 3.831s ok git.eeqj.de/sneak/vaultik/internal/blobgen 3.386s ok git.eeqj.de/sneak/vaultik/internal/chunker 3.968s ok git.eeqj.de/sneak/vaultik/internal/cli 2.942s ok git.eeqj.de/sneak/vaultik/internal/config 3.443s ok git.eeqj.de/sneak/vaultik/internal/crypto 4.686s ok git.eeqj.de/sneak/vaultik/internal/database 4.692s ok git.eeqj.de/sneak/vaultik/internal/globals 4.093s ok git.eeqj.de/sneak/vaultik/internal/models 3.031s ok git.eeqj.de/sneak/vaultik/internal/pidlock 3.959s ok git.eeqj.de/sneak/vaultik/internal/s3 4.980s ok git.eeqj.de/sneak/vaultik/internal/snapshot 5.693s ok git.eeqj.de/sneak/vaultik/internal/vaultik 6.015s ``` Removed `needs-checks`, added `needs-review`.

clawbot added

merge-ready

and removed

needs-review

labels 2026-02-20 12:48:11 +01:00

clawbot removed their assignment 2026-02-20 12:48:26 +01:00

sneak was assigned by clawbot 2026-02-20 12:48:26 +01:00

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin fix/verify-blob-hash:fix/verify-blob-hash

git checkout fix/verify-blob-hash

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bot

Agent's turn to work

  

merge-ready

All checks pass, reviewed, rebased, ready for merge

  

needs-checks

make check does not pass cleanly

  

needs-rebase

PR has merge conflicts or is behind main

  

needs-review

Code review not yet done

  

needs-rework

Code review found issues to fix

No Label

bot

merge-ready

needs-checks

needs-rebase

needs-review

needs-rework

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

sneak

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#39

No description provided.