ankitcharolia
commented
11 months ago @jdstrand kindly try this GO Version Manager: https://github.com/ankitcharolia/goenv
Open jdstrand opened 2 years ago
ankitcharolia
commented
11 months ago @jdstrand kindly try this GO Version Manager: https://github.com/ankitcharolia/goenv
In looking at https://github.com/moovweb/gvm/blob/master/scripts/install I noticed that
download_binary()downloads the go tarball via curl and then proceeds to untar the binary without verifying it, which is susceptible to a supply chain issue (eg, codecov, where users would download a script via curl and execute[1]).Feature request: Go upstream doesn't appear to provide signed build artifacts or a signed document of sha256sums, but Go upstream does provide individual sha256's of each tarball and they can be seen on https://go.dev/dl/ so it should be possible to incorporate a sha256sum check of the tarball and a meaningful security improvement would be to store the known valid sha256sums within the
gvmproject somewhere and comparing the downloaded tarball against them since that would detect changes to the tarball on the webserver.Rationale: note that today the downloads are happening over HTTPS, so a successful supply chain attack requires changes to the files on the webserver. Some might argue that changing files on a Google server would require more sophistication than can be protected against in
gvm, but serving build artifacts is different than creating them in the first place (different systems, different credentials, different attack surface, different availability from the internet, etc) and verifying a build artifact against a known checksum would detect changes in the tarball and help protectgvmusers against attacks on the webserver (it does not protect against attacks on the build server of course). Since there doesn't seem to be a signed document of valid sha256sums that we could verify the signature of and compare the downloaded tarball against,gvmmust store the sha256sums locally (since it is reasonable to assume that if an attacker could replace the tarball on the webserver, the attacker may also be able to replace the sha256sum on the same webserver).It looks like
gvmusers can useinstall_go()functionality in the meantime to compile go releases from source (coming fromgit clone) rather than using unverified precompiled binaries.Thanks for considering this improvement!
[1] note, I understand that
gvmis primarily for local development as opposed to integration with CI systems likecodecovis. I mentioncodecovonly to highlight how supply chain attacks are conducted