Closed raesene closed 2 years ago
Currently checking out OPA and was surprised to find that there weren't any checksums for the binary releases at all. This would be a welcome enhancement.
I agree that minimally we should publish checksums for the binaries that are attached to each release. We'll need to look into the best way to surface that in the docs.
hello, we had talked a bit with @anderseknert and @srenatus about it. IMHO, there are two ways to sign OPA binaries and containers images, and they are by using the public/private key approach or the keyless mode approach. There are similar efforts already available in some of the projects such as GoReleaser, cosign itself, ko. Maybe they might help you about understanding the concept. 🤝🥳
hello folks, I have a couple of comments here.
sha256sum <file>
instead of using shasum -a 256
..sha256
file which makes it harder to check within the CI/CD pipeline that's why kubectl CLI's sha256 file only contains the sha256 part of the file without a file name, please see.Validate the binary (optional)
Download the kubectl checksum file:
curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
Validate the kubectl binary against the checksum file:
echo "$(<kubectl.sha256) kubectl" | sha256sum --check
If valid, the output is:
kubectl: OK
So, I'm proposing to do the same for OPA, WDYT?
kindly ping @anderseknert @johanneslarsson @tsandall?
cc: @dentrax
sha256sum
is only available on Linux, so I guess it could be changed there. But values will be the same?echo "$(cut -d ' ' -f1 opa_darwin_amd64.sha256) opa_darwin_amd64" | shasum -c
Currently the OPA installation documentation involves downloading and execution a binary program
At the moment, there's not mention in the documentation of how to validate a digital signature or checksum of the downloaded file prior to running it. If an attacker were able to compromise the system hosting the binary this could leave users open to attack (as happened with Codecov )
A useful addition would be either to include checksums of the binary that can be validated, or to look at signing released files using something like cosign or notary.