Open vermeeren opened 1 year ago
As a first step, I've added a m5sum and sha512sum for the kroki-server.jar on the latest release: https://github.com/yuzutech/kroki/releases/tag/v0.21.2
@ggrossetie Thanks! I do realise this turned out a lot bigger than expected and is more of a long-term incremental goal than a quick fix.
Kroki is a great project so really appreciate your work!
Originate from https://github.com/yuzutech/kroki/pull/1530#discussion_r1196583936
This is a meta issue for security when it comes to supply chain attacks and reproducibility of artefacts built by Kroki project. https://slsa.dev/ and https://slsa.dev/spec/v1.0/levels
I realise it's extremely broad so this probably serves as a starting point. Sub-issues for specific items should probably be used for implementation work.
Supply chain attacks
This is a significant attack surface that nowadays is seeing a lot of real exploits, imo this is number one priority.
npm
already does this inpackage-lock.json
through SHA512-sums.curl http://no-tls-insecure.site/script | bash -
.Artefact signing (post-build tampering)
This mostly only makes sense to do after doing the above. A lot of this is also quite young/early. Security-minded deployments have a high chance of being from source, so this is mostly just ideas.
OpenPGP (
gpg
) is one way to do things, but for containers etc there appear to be many other possibilities. I don't have much experience with this yet. Some references are https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/assembly_signing-container-images_building-running-and-managing-containers and https://github.com/sigstore.kroki-server.jar
, Docker images, there should be a way to verify this is the official Kroki binary and not modified by third party (GitHub, CDN, ...).Reproducible builds
kroki-server.jar
.cc @ggrossetie