-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
install.sh: check checksums file's signature #2884
Comments
Hi @martinetd, thanks for the report! The .pem and .sig files come from a step in our build process that uses cosign to sign the checksum files of the binaries: https://github.com/anchore/syft/blob/main/.goreleaser.yaml#L263-L274 Here is one way you can verify the signatures using the cosign command:
There is also a PR against Grype to do this in the install.sh script, and it could probably be finished and ported over to Syft: anchore/grype#1670 Hopefully this helps! |
Thanks, I was able to verify locally. I've commented on grype's PR and agree once it's ready it'll be easy to update syft as well, let's continue over there :) |
What would you like to be added:
it'd be great if install.sh could verify releases a bit more thoroughly.
Why is this needed:
install.sh currently grabs the checksum file from github to check the download was correct, but this brings no value from a security perspective: both the checksums and the file are served from the same servers, so if a malicious actor can change the release binaries they can also update the checksums.
Additional context:
This is the third point of #519 - there doesn't seem to have been discussions about the signatures in there so I'm forking to a different issue to discuss more specifically this point (the branch pointed there talks about signature but it's since been merged so couldn't see what it contained, and the current install.sh still doesn't verify anything)
I also wasn't able to find where the checksums.txt.sig and checksums.txt.pem come from, so wasn't sure how to use them to check manually.
The .pem file looks like a base64 encoded, base64 encoded PEM file (no, I didn't stutter here - we can probably drop the external base64 encoding?)
The .sig file is just base64 encoded "data" without header, so it's not gpg? perhaps openssl cms? I didn't get that to work either..
But either way it looks like things are signed so it should be possible to check in install.sh -- ideally the caller could specify a fingerprint of the certificate as argument to install.sh, so the chain of trust would be:
curl install.sh | sh -s -- --fingerprint foobarxyz
The text was updated successfully, but these errors were encountered: