Checksum verification - Githubissues

imjasonh / setup-crane

Apache License 2.0

21 stars 10 forks source link

Checksum verification #1

Open jdolitsky opened 3 years ago

jdolitsky commented 3 years ago

Does it make sense to validate the checksum of release tarballs prior to unpacking?

Maybe as an optional input param?

imjasonh commented 3 years ago

Is that something I can get from GitHub? I'd rather not have to maintain a mapping of version->sha myself.

That means a compromised GitHub can lie to us about the artifact and it's sha, but then they could also lie to users about what this action is configured to do, so 🤷‍♂️

jdolitsky commented 3 years ago

It's be something as a user I could provide (optionally):

- uses: imjasonh/setup-crane@v0.1
  with:
    version: v0.6.0
    checksum: b71c7ca16abff07787516efbe0c06c129d273f34490d6a85f815cec980fffe85

Happy to PR this

imjasonh commented 3 years ago

I guess my question is, what kind of attack/error are you trying to guard against? Malicious/compromised crane maintainers pushing a new crane binary in a release?

jdolitsky commented 3 years ago

Yes.

But I suppose if they get you, they can get this action too :sob:

imjasonh commented 3 years ago

Yeah, more or less.

I'm not opposed to adding it, I just don't think I'd use it myself. And it'd only be useful for version-pinned releases, not latest-release (the default) or tip.