Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check integrity of the binary when already installed #237

Closed
corrieriluca opened this issue Aug 21, 2024 · 4 comments
Closed

Check integrity of the binary when already installed #237

corrieriluca opened this issue Aug 21, 2024 · 4 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@corrieriluca
Copy link

corrieriluca commented Aug 21, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
When using tenv <tool> detect, tenv is only reading through path and filenames to determine if a version of the tool is already installed, without checking its integrity as it does during installation. I think it might be a good security measure.

Describe the solution you'd like
The tenv <tool> detect checks the integrity of the tool if already installed. Examples:

  • Already installed and has integrity 
    $ tenv tg detect
Found compatible version installed locally : 0.66.9
Checking integrity...
Downloading https://github.com/gruntwork-io/terragrunt/releases/download/v0.66.9/SHA256SUMS
Checksum OK!
Terragrunt 0.66.9 will be run from this directory.
  • Already installed but has an incorrect checksum 
    $ tenv tg detect
Found compatible version installed locally : 0.66.9
Checking integrity...
Downloading https://github.com/gruntwork-io/terragrunt/releases/download/v0.66.9/SHA256SUMS
Checksum failed! Warning: this could be a malicious binary.

Describe alternatives you've considered

  • Add a CLI flag to enable/disable this behavior (e.g. --checksum/--no-checksum)
  • Add a separate command to tenv to do the checksum (e.g. tenv <tool> check)

Additional context
When using containers in CI pipelines for example, one could pre-load binaries during the image build to save time and bandwidth, but still using tenv during runtime to check for their integrity. Since IaC tools are particularly sensitive and generally have high privileges, they can be a target of attacks with malicious binaries.
@kvendingoldo
Copy link
Collaborator

One question regarding "one could pre-load binaries ". Does it mean, that during the build these binaries will be installed by tenv? If so, it's possible to implement your request, otherwise, we have to detect PATHs for Terraform/Terragrunt/Atmos/Tofu somehow.

@kvendingoldo kvendingoldo added the question Further information is requested label Aug 21, 2024
@corrieriluca
Copy link
Author

Yes, when I mean "pre-load binaries" it would be with tenv to preserve consistency. Using tenv for installation would imply using tenv later for integrity checking.

@kvendingoldo
Copy link
Collaborator

In such case I think that we can implement this feature; it looks useful!

@kvendingoldo kvendingoldo added enhancement New feature or request good first issue Good for newcomers and removed question Further information is requested labels Aug 22, 2024
@dvaumoron
Copy link
Contributor

OpenTofu checksums are linked to archive, which is not convenient, and if we compute a specific checksum for the binary, where do we store it to ensure it will not be corrupted too?

@dvaumoron dvaumoron closed this as not planned Won't fix, can't repro, duplicate, stale Aug 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvaumoron @kvendingoldo @corrieriluca