search

teamhephy / workflow-cli

MIT License
2 stars 13 forks source link

Download Script SSL #22

Closed Cryptophobia closed 6 years ago

Cryptophobia commented 6 years ago

From @croemmich on August 25, 2016 5:20

The download script listed in the docs (http://deis.io/deis-cli/install-v2.sh) is currently being served over a non-ssl connection allowing a MITM attack to replace the script and fetch a rogue client binary. That'd be all sorts of bad...

Copied from original issue: deis/workflow-cli#200

Cryptophobia commented 6 years ago

From @bacongobbler on August 25, 2016 14:55

The problem right now is that the install script is hosted by Github Pages, which does not support SSL. For the time being, the best way to prevent MITM attacks and to use SSL for installing the client is to either

  1. verify that the script downloaded with curl matches https://github.com/deis/deis.io/blob/gh-pages/deis-cli/install-v2.sh
  2. manually download the client via curl -o deis https://storage.googleapis.com/workflow-cli/v2.3.0/deis-v2.3.0-linux-amd64
  3. Use curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash instead.

Hope this helps :)

Cryptophobia commented 6 years ago

From @Joshua-Anderson on August 25, 2016 15:25

@slack Would it be possible to move this script to deis.com? I guess that would close source the script, but we could also move it to a subdomain like what we do for helm classic and get.helm.sh.

Cryptophobia commented 6 years ago

From @croemmich on August 25, 2016 18:12

Could you move the source to the documentation repository? If I'm not mistaken, that gets built and hosted on deis.com which has ssl. The script doesn't really do that much and is only every referenced from the documentation.

Cryptophobia commented 6 years ago

From @bacongobbler on August 25, 2016 19:4

I think that'd be reasonable since deis.com is a private repo due to licensing issues with the blog posts. It would allow contributors to continue providing updates and enhancements to the script and we get it backed by SSL. Problem is that the URL would then be https://deis.com/docs/workflow/deis-cli/install-v2.sh which would be a little too long to type out. Optimally if it were hosted by deis.com it would be preferred to have it at something like https://deis.com/install-v2.sh

Cryptophobia commented 6 years ago

From @croemmich on August 27, 2016 0:16

Personally, I'll probably always copy and paste it so length doesn't matter much to me. As far as your deis.com brand goes, https://deis.com/install-v2.sh would definitely be optimal.

Cryptophobia commented 6 years ago

From @bacongobbler on September 19, 2016 20:54

We're planning on a site-wide migration over to deis.com so this will eventually happen. The ticket for doing this is behind closed doors (so to speak) so there's no public announcement on when that'll happen, but there is a migration plan for deis.io content to move to deis.com.

This isn't something we can implement within this release though, so I'll remove the milestone. I'm also removing the priority as there is a workaround for users who are concerned about MITM attacks:

curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash
Cryptophobia commented 6 years ago

From @rvadim on December 21, 2016 4:1

Download of 2.3.0 works fine, but latest versions not actually works

$ curl -o deis https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   127  100   127    0     0    224      0 --:--:-- --:--:-- --:--:--   225
/ $ cat deis
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.0/deis-v2.9.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.8.0/deis-v2.8.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
Cryptophobia commented 6 years ago

From @mboersma on December 21, 2016 15:58

@rvadim that URL isn't correct, it should be in the "workflow-cli-release" directory. Try this one:

$ curl -o deis https://storage.googleapis.com/workflow-cli-release/v2.9.1/deis-v2.9.1-linux-amd64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9021k  100 9021k    0     0  14.1M      0 --:--:-- --:--:-- --:--:-- 14.1M
Cryptophobia commented 6 years ago

From @rvadim on December 22, 2016 4:15

@mboersma Thank you.

Cryptophobia commented 6 years ago

We moved this cli download script to this Github home repo and using Google Storage to host the cli binaries so this issue is closed via https://github.com/teamhephy/workflow-cli/pull/34