Open schnatterer opened 3 years ago
:100: :+1: happy to start discussions on how bin
can help the world to be a more secure place :hugs:
I finally had some time to collect my ideas on this topic.
Lots of binaries are offered for download alongside checksums and signatures. It would be great if bin
could check one or both of them.
As there is no standard for how to create and offer checksums and signatures, I think it will not be possible to implement a simple one size fits all solution.
But I think some patterns are showing, that allow for implementing a best effort approach.
.sha256
e.g. kubectl.sha256sum
, e.g. helmsha256sums
, e.g dumb-initsha256sums.txt
, e.g ctopchecksums.txt
- bin
:-P<binary>_checksums.txt
- cfssl, vegatachecksum
or sha256
..asc
file on the GitHub release or look for an additional file that appends a .asc
suffix to the actual binary download, e.g.So, summing up, I think
What do you think?
Unfortunately, I won't be much help implementing this, due to lack of experience in programming in go 😞
- validating checksums could be implemented rather easy and work for most binaries that offer checksums, providing at least a certain level of valdation.
+1. Validating checksums I believe it's a feature that improves overall integrity (even though TBH almost rarely run checksums of the binaries that I download).
- On the other hand validating signatures will most likely cause more effort to be implemented and work only for a small number of binaries (also because only few binaries offer signatures at all).
I don't see a clear path provide a solution for this in the short term IMHO. Since if an attacker gets privilege access to a repository, and the CI is setup in a way that the .asc
files are automatically added to the release, it really doesn't make any sense to validate signatures which denotes that IMHO there's an opportunity for Github to improve on this aspect.
Unfortunately, I won't be much help implementing this, due to lack of experience in programming in go
If you have the time and want to learn this would be a good first issue. I can offer my help to guide you what needs to be done here. We're always welcoming new contributors a new gophers :gopher: :tada:
Possibly related read: https://vulns.xyz/2022/05/auth-tarball-from-git/
bin is a wonderful tool that increases security for lots of users, due to the ease of keeping tools up to date. Thanks!
Speaking of security - some tools offer checksums and or signatures on their release pages. Checking those would be a very useful addition.
Of course, difficult to implement in detail, e.g. where to get the public key to validate signatures and such. Still wanted to leave the idea here.