dbg install lldb: no integrity check on downloaded LLVM binary

[OnyxynO]

Summary

In src/commands/install.ts, the dbg install lldb command downloads an LLVM archive from GitHub Releases and extracts lldb-dap without verifying its integrity:

const response = await fetch(url, { redirect: "follow" });
// ...
const tarball = await response.arrayBuffer();
// No SHA256 / signature check before extraction and execution

Impact

If the download is intercepted (MITM, compromised CDN) or the GitHub release is tampered with, a malicious lldb-dap binary would be silently installed and later executed on the user's machine when using --runtime lldb.

This is the classic supply chain attack vector for installers that skip checksum verification.

Suggested fix

LLVM publishes SHA256 checksums alongside their releases. After downloading the archive, verify its hash before extraction:

import { createHash } from "node:crypto";

const hash = createHash("sha256").update(Buffer.from(tarball)).digest("hex");
if (hash !== EXPECTED_SHA256[`${os}-${arch}`]) {
  throw new Error(`Integrity check failed: expected ${EXPECTED_SHA256[...]} got ${hash}`);
}

The expected hashes can be hardcoded per version (and updated with each LLVM_VERSION bump) or fetched from a trusted source.

---

Found during a security audit of v0.3.0.