From 94f096787803bffbebb7a41e1e2419e0c6d1b342 Mon Sep 17 00:00:00 2001
From: Stanislas Lange <git@slange.me>
Date: Thu, 4 Dec 2025 18:07:44 +0100
Subject: [PATCH] security: add SHA256 checksum verification for easy-rsa
 download

Adds integrity verification to prevent supply chain attacks when
downloading easy-rsa from GitHub releases.
---
 openvpn-install.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 7bb0bd0..5c1f8b0 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -746,7 +746,14 @@ function installOpenVPN() {
 	# Install the latest version of easy-rsa from source, if not already installed.
 	if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
 		local version="3.1.2"
+		local easy_rsa_sha256="d63cf129490ffd6d8792ede7344806c506c82c32428b5bb609ad97ca6a6e4499"
 		wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
+		echo "${easy_rsa_sha256}  ~/easy-rsa.tgz" | sha256sum -c
+		if [[ $? -ne 0 ]]; then
+			echo "SHA256 checksum verification failed for easy-rsa download!"
+			rm -f ~/easy-rsa.tgz
+			exit 1
+		fi
 		mkdir -p /etc/openvpn/easy-rsa
 		tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa
 		rm -f ~/easy-rsa.tgz