search

merklecounty / rget

download URLs and verify the contents against a publicly recorded cryptographic log
https://merklecounty.com
Apache License 2.0
205 stars 17 forks source link

support other schemes like docker or git #2

Open philips opened 5 years ago

philips commented 5 years ago

It would be really helpful for many projects to have a release include schemes that are not application/octet-stream's downloaded over https. The two highest priority might be:

One challenge with git is all of the digests are SHA1 and the tool currently probes for digests at a SHA256SUMS URL. However, I chose SHA256SUMS because it was familiar to people and because some existing tools supported it, not necessarily because it is the best possible file format.

The UX for such a tool would probably be something like:

git clone https://github.com/merklecounty/rget
rget git check $tag

For a docker container I think Kubernetes integration would be most useful as a admission controller and also a tool to verify container images running in a cluster.

rget kube verify -n $namespace $pod

This is just a braindump and sketch. More input appreciated.

fungi commented 5 years ago

[...]

One challenge with git is all of the digests are SHA1 and the tool currently probes for digests at a SHA256SUMS URL. However, I chose SHA256SUMS because it was familiar to people and because some existing tools supported it, not necessarily because it is the best possible file format. [...]

Keep in mind that Git is working on transitioning to SHA2-256 along with future-proof hash agility, it's just a long road and probably won't be seeing much penetration for a couple more years. It might be okay to build your schema with that future in mind, rather than trying to come up with complex mitigations for a problem which is expected to go away in time.