From d411b9aca0f00b04bc43100fb6b43c71db33ba3a Mon Sep 17 00:00:00 2001
From: Stu Leak <leaktechnologies@proton.me>
Date: Sun, 11 Jan 2026 07:26:41 -0500
Subject: [PATCH] Verify whisper model checksum on install

---
 scripts/install.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/install.sh b/scripts/install.sh
index 3000af4..5ebc188 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -349,6 +349,7 @@ else
     whisper_model_dir="$HOME/.local/share/whisper.cpp/models"
     whisper_model_dest="$whisper_model_dir/ggml-small.bin"
     whisper_model_url="https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-small.bin"
+    whisper_sha_url="https://huggingface.co/ggerganov/whisper.cpp/raw/main/ggml-small.bin"
     mkdir -p "$whisper_model_dir"
     if [ -f "$whisper_model_src" ]; then
         if [ ! -f "$whisper_model_dest" ]; then
@@ -367,6 +368,32 @@ else
                 echo "Install one of them or place ggml-small.bin at $whisper_model_src"
                 exit 1
             fi
+            # Verify checksum using official LFS pointer when possible.
+            if command -v sha256sum &> /dev/null || command -v shasum &> /dev/null; then
+                if command -v curl &> /dev/null; then
+                    whisper_sha="$(curl -sL "$whisper_sha_url" | awk '/oid sha256:/ {print $3}' | cut -d: -f2)"
+                elif command -v wget &> /dev/null; then
+                    whisper_sha="$(wget -qO- "$whisper_sha_url" | awk '/oid sha256:/ {print $3}' | cut -d: -f2)"
+                fi
+                if [ -n "$whisper_sha" ]; then
+                    if command -v sha256sum &> /dev/null; then
+                        actual_sha="$(sha256sum "$whisper_model_dest" | awk '{print $1}')"
+                    else
+                        actual_sha="$(shasum -a 256 "$whisper_model_dest" | awk '{print $1}')"
+                    fi
+                    if [ "$actual_sha" != "$whisper_sha" ]; then
+                        echo -e "${RED}[ERROR]${NC} Whisper model checksum mismatch."
+                        echo "Expected: $whisper_sha"
+                        echo "Actual:   $actual_sha"
+                        exit 1
+                    fi
+                    echo -e "${GREEN}[OK]${NC} Whisper model checksum verified"
+                else
+                    echo -e "${YELLOW}WARNING:${NC} Could not fetch official checksum; skipping verification."
+                fi
+            else
+                echo -e "${YELLOW}WARNING:${NC} sha256sum/shasum not available; skipping checksum verification."
+            fi
             echo -e "${GREEN}[OK]${NC} Whisper small model downloaded to $whisper_model_dir"
         fi
     fi