Upgrade xapian to 1.4.31 and add sha256 check to avoid supply chain attack

core/management/commands/install_xapian.py

@@ -39,12 +39,16 @@ class Command(BaseCommand):
             return None
         return xapian.version_string()
 
-    def _desired_version(self) -> str:
+    def _desired_version(self) -> tuple[str, str, str]:
         with open(
             Path(__file__).parent.parent.parent.parent / "pyproject.toml", "rb"
         ) as f:
             pyproject = tomli.load(f)
-            return pyproject["tool"]["xapian"]["version"]
+            return (
+                pyproject["tool"]["xapian"]["version"],
+                pyproject["tool"]["xapian"]["core-sha256"],
+                pyproject["tool"]["xapian"]["bindings-sha256"],
+            )
 
     def handle(self, *args, force: bool, **options):
         if not os.environ.get("VIRTUAL_ENV", None):
@@ -53,7 +57,7 @@ class Command(BaseCommand):
             )
             return
 
-        desired = self._desired_version()
+        desired, core_checksum, bindings_checksum = self._desired_version()
         if desired == self._current_version():
             if not force:
                 self.stdout.write(
@@ -65,7 +69,12 @@ class Command(BaseCommand):
             f"Installing xapian version {desired} at {os.environ['VIRTUAL_ENV']}"
         )
         subprocess.run(
-            [str(Path(__file__).parent / "install_xapian.sh"), desired],
+            [
+                str(Path(__file__).parent / "install_xapian.sh"),
+                desired,
+                core_checksum,
+                bindings_checksum,
+            ],
             env=dict(os.environ),
             check=True,
         )

core/management/commands/install_xapian.sh

@@ -1,7 +1,11 @@
 #!/usr/bin/env bash
 # Originates from https://gist.github.com/jorgecarleitao/ab6246c86c936b9c55fd
 # first argument of the script is Xapian version (e.g. 1.2.19)
+# second argument of the script is core sha256
+# second argument of the script is binding sha256
 VERSION="$1"
+CORE_SHA256="$2"
+BINDINGS_SHA256="$3"
 
 # Cleanup env vars for auto discovery mechanism
 unset CPATH
@@ -21,9 +25,15 @@ BINDINGS=xapian-bindings-$VERSION
 
 # download
 echo "Downloading source..."
-curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz"
+curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz" || exit 1
+
+echo "${CORE_SHA256}  ${CORE}.tar.xz" | sha256sum -c - || exit 1
+
 curl -O "https://oligarchy.co.uk/xapian/$VERSION/${BINDINGS}.tar.xz"
 
+echo "${BINDINGS_SHA256}  ${BINDINGS}.tar.xz" | sha256sum -c - || exit 1
+
+
 # extract
 echo "Extracting source..."
 tar xf "${CORE}.tar.xz"

pyproject.toml

@@ -92,7 +92,12 @@ docs = [
 default-groups = ["dev", "tests", "docs"]
 
 [tool.xapian]
-version = "1.4.29"
+version = "1.4.31"
+# Those hashes are here to protect against supply chains attacks
+# They are obtained by downloawing xapian-core and xapian-bindings from xapian.org
+# and running `sha256sum` on the downloaded compressed files
+core-sha256 = "fecf609ea2efdc8a64be369715aac733336a11f7480a6545244964ae6bc80811"
+bindings-sha256 = "a38cc7ba4188cc0bd27dc7369f03906772047087a1c54f1b93355d5e9103c304"
 
 [tool.ruff]
 output-format = "concise" # makes ruff error logs easier to read

uv.lock

@@ -817,7 +817,6 @@ wheels = [
 name = "griffelib"
 version = "2.0.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ad/06/eccbd311c9e2b3ca45dbc063b93134c57a1ccc7607c5e545264ad092c4a9/griffelib-2.0.0.tar.gz", hash = "sha256:e504d637a089f5cab9b5daf18f7645970509bf4f53eda8d79ed71cce8bd97934", size = 166312, upload-time = "2026-03-23T21:06:55.954Z" }
 wheels = [
     { url = "https://files.pythonhosted.org/packages/4d/51/c936033e16d12b627ea334aaaaf42229c37620d0f15593456ab69ab48161/griffelib-2.0.0-py3-none-any.whl", hash = "sha256:01284878c966508b6d6f1dbff9b6fa607bc062d8261c5c7253cb285b06422a7f", size = 142004, upload-time = "2026-02-09T19:09:40.561Z" },
 ]
@@ -1734,11 +1733,11 @@ wheels = [
 
 [[package]]
 name = "pygments"
-version = "2.20.0"
+version = "2.19.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c3/b2/bc9c9196916376152d655522fdcebac55e66de6603a76a02bca1b6414f6c/pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f", size = 4955991, upload-time = "2026-03-29T13:29:33.898Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f4/7e/a72dd26f3b0f4f2bf1dd8923c85f7ceb43172af56d63c7383eb62b332364/pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176", size = 1231151, upload-time = "2026-03-29T13:29:30.038Z" },
+    { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" },
 ]
 
 [[package]]