Add checksum validation of downloaded archives #205
Comments
|
Hello @ppetr That would be great. However I've left this aside for now because I fear there will be a lot of nitty gritty details (checksums for compressed binaries, checksums inside tarballs, non standard checksum file formats, ...). If you want to tackle this please go ahead. The above proposal seems fine to me. Keep us informed ! |
|
Great! Let's keep it simple, just to verify checksums of tarballs as they're already provided. Later we can think of expanding it, if needed. I'll then start working on a prototype and I'll keep you updated 🙂. |
|
After some experimenting I came to the following ideas, which can be implemented relatively independently. Provide a checksum of a checksum file for each released version. This is the simplest solution and probably easiest to work with for authors/maintainers, but it's a bit more verbose in the distribution file. fzf:
description: fzf is a general-purpose command-line fuzzy finder.
url: https://github.com/junegunn/fzf/
list:
type: github-releases
url: https://api.github.com/repos/junegunn/fzf/releases
fetch:
url: https://github.com/junegunn/fzf/releases/download/{{ .Version }}/fzf-{{ .Version }}-{{ .OS }}_{{ .Arch }}.tar.gz
integrity:
url: https://github.com/junegunn/fzf/releases/download/{{ .Version }}/fzf_{{ .Version }}_checksums.txt
checksums:
- url: https://github.com/junegunn/fzf/releases/download/0.30.0/fzf_0.30.0_checksums.txt
type: sha256
checksum: 43cc37783e0bf4ed775109379b3e2073ea2bb29c9e4811d07907c868435e1b7e
# Other versions follow.
install:
type: tgz
binaries:
- fzfUse OpenPGP to sign chechsum files. This is often done by authors that already use PGP. A random example: https://github.com/orgrim/pg_back/releases/tag/v2.1.0. The release includes the integrity:
url: https://github.com/junegunn/fzf/releases/download/{{ .Version }}/fzf_{{ .Version }}_checksums.txt.sig
public_key:
# This would require https://gopenpgp.org/, probably a more heavy-weight library.
openpgp:
- |
-----BEGIN PGP PUBLIC KEY BLOCK -----
... |
|
So my questions are:
|
|
Well, I think I did not understand your initial proposal. I thought you wanted to grab the checksums (when they existed) from the released artifacts and compare to what has been downloaded by But it seems you'd like to add checksums for all versions in I do not think we should be the custodians of fingerprints, this is too much responsibilities (and also, quite a chore to maintain; try a So I am not convinced we're heading the right way here. |
|
I see your point. From reliability perspective, checking against checksum files in releases might help a bit, but I guess modern https is very good already in ensuring reliable transmission. And since files are always compressed, their internal integrity is verified by mechanisms such as CRCs built in decompression algorithms. My perspective is rather security. Imagine let's say a GitHub account of a very popular binary becomes compromised. An attacker can replace/create a release with corrupted binaries as well as matching hashes. Then thousands of computers will became infected by malware. I agree that maintaining checksums of individual files is just not maintainable. Then how about authors' PGP public keys and/or fingerprints? This means adding just one string once for every eligible project that won't change over time (or extremely rarely). This information could be even scraped automatically for example from project README.md files (if present). But with an important feature that they'd never be changed by automation once present. Then:
That way a reasonable level of security can be reached and hopefully with little intrusion. |
|
Interesting. Do you have examples of such signed releases ? |
|
Let me give a couple of examples:
The checksums are either given as a single file (usually I also found out that the fingerprint of the signer's key can be extracted from a signature (https://security.stackexchange.com/q/62916/12485). Which means it'd be possible to collect these fingerprints from all projects that contain such a signature without requiring the authors to publish the key somewhere, making the process even more seamless. |
|
I understand and that's really interesting. However there are a lot of devilish details to handle (gpg availability on the system being one of them, fetching hashes, keys, ...). It is quite a piece to do, and will only apply to a very small subset of distributions. If someone wants to take this, that's fine with me. But I am not sure that with the time in my hands I can do this right now. I feel that some kind of autodiscover feature for repo should be written (after having to add and debug almost 300 entries in the distributions file, you really feel the urge for this tool). May be it could handle this and we could adapt the sources struct to handle signatures. But again, time is lacking on my side, sorry. |
While downloading from GitHub via HTTPS gives a reasonable level of security, I'd still prefer to have the binaries verified against their respective checksum files.
I propose to add a field with a URL to a checksum file together with a checksum of the file itself. Example:
After downloading an archive for
foo_binary,binenvwould also download thechecksums.txtfile, verify its integrity, and then verify the integrity of the archive against the appropriate checksum inchecksums.txt.An alternative would be to include all the hashes in
distributions.yamlitself, but I think it'd be way too verbose.I'm happy to contribute a PR once an agreement is reached on the details.
The text was updated successfully, but these errors were encountered: