Verify mkcert binary SHA-256 checksum before execution

[Copilot]

Addresses the security implications of downloading and executing the mkcert binary without integrity verification. Since mkcert installs a root CA into the system trust store, a tampered binary (MITM or compromised release) could install a malicious CA and enable HTTPS interception.

Changes

• Checksum verification on download — SHA-256 of the downloaded binary is computed in-memory and compared against hardcoded values before writing to disk; a mismatch throws with a clear tamper warning
• Checksum verification on cache hit — cached binary is re-verified on each run; a mismatch triggers a re-download with a warning
• Hardcoded checksums for all 7 mkcert v1.4.4 targets (darwin-amd64/arm64, linux-amd64/arm/arm64, windows-amd64/arm64) — must be updated alongside MKCERT_VERSION
• getDownloadUrl → getDownloadInfo — now returns { url, expectedChecksum } so the checksum travels with the URL
• Security notes in module JSDoc — documents the CA private key risk (~/.framer/code-link/rootCA-key.pem must not be shared/committed) and the checksum update requirement

Changelog

• No user-facing changes

Testing

• First-run: delete ~/.framer/code-link/mkcert (or the .exe), run the CLI, confirm the binary is downloaded and the WSS server starts
• Cache hit: run again without deleting the binary, confirm "already available and verified" debug log and no re-download
• Tamper detection: corrupt the cached binary (echo x >> ~/.framer/code-link/mkcert), confirm a re-download is triggered with the checksum warning

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/FiloSottile/mkcert/releases/tags/v1.4.4
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)