-
Notifications
You must be signed in to change notification settings - Fork 30
binary builder should check authenticity and integrity of downloaded packages #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Hey @gberche-orange. Thanks for bringing this to our attention. I think we should definitely download sources via HTTPS at all times, and figure out a non-intrusive way to verify signatures. We had started this project off by downloading sources via git, in particular GitHub, and relied on the intrinsic "security" provided by the git protocol. However, we should probably spend some time improving this mechanism, as one of the major reasons behind this effort is to ensure we're confident in the integrity of our packages. I'm wondering if the preferred mechanism would be to provide a hash of the download file to the binary builder at run time -- e.g. Fetching the hashes from the distribution sites seems like it still leaves open a man-in-the-middle attack, though if we move to all HTTPS URLs that would be more difficult -- but as history has shown, not impossible. I'd love to hear your thoughts, and will discuss with the team tomorrow. |
I understand that fetching the source distrib checksum from the distribution through https is the standard way to check packages as they come released without including manual operation each time. I'd rather then have the binary builder do the download and verification itself. As for signatures, since they typically don't change much and in particular not with each new package version it seems better to embed the public keys (e.g. apache public keys) into the binary builder repo I would think, and then check the signature of the downloaded sources against the public key. (Sorry for late response, was out if office for a while) |
Thanks for pointing this out. I'm going to schedule work on making sure we're specifying the expected checksum for any downloads. |
Thanks @flavorjones Do you mean "making sure we're verifying the expected checksum for any downloads, against checksum securely downloaded from source repos" and verifying signature for digitally signed source packages ? |
I believe we've completed the work you described above -- all the builder pipelines now require a checksum or a GPG key, see https://github.com/cloudfoundry/binary-builder/blob/master/bin/binary-builder#L34-L40. |
And, to your point above, all the pipelines then use that checksum or GPG key to verify the source tarball. If you see anything we're not doing, please do let me know. I'm putting together a track of work related to this and to your request at #5 to provide more structured metadata around a "chain of custody" so that end users of a buildpack can verify all the binaries being delivered. |
Thanks @flavorjones ! I see the source files are indeed downloaded and verified against checksum or signature upfront but then the some template steps don't seem to use the downloaded and extracted tar (e.g. httpd-apr jruby ) and are therefore still vulnerable to man in the middle attacks. Is that something you plan on fixing ? Also, the docker file is vulnerable to man in the middle attacks in fetching |
Heya @gberche-orange, Thanks for pointing this out. In the
but in the Also worth noting that we're not yet verifying checksums when we build some dependencies in the |
Thanks @flavorjones for sharing the additional stories added.
Sorry, I had missed that, thanks for correcting me on this. |
Just an update that the current code on The PHP story is in motion, and nearly done. |
@gberche-orange The code for verifying checksums is here: https://github.com/cloudfoundry/binary-builder/blob/master/recipe/httpd_meal.rb#L152-L171 |
@flavorjones great thanks for the update, looks good to me. |
Thanks for sharing this great work for building buildpack binaries!
As discussed into cloudfoundry/java-buildpack-dependency-builder#6 the buildpacks binary builder should strive to verify authenticiy and integrity of downloaded artefacts
For example in https://github.com/cloudfoundry/binary-builder/blob/master/templates/httpd_blueprint.sh.erb#L8-L9 the builder is currently vulnerable to man in the midddle attacks that could return compromised packages.
In the case of apache, apache source packages are digitally signed with apache public keys, and should be checked by the binary builder.
Other cases might check against checksum downloaded through HTTPS on the main distrib (and not mirror).
http://apache.mirrors.tds.net/apr/#sig
The text was updated successfully, but these errors were encountered: