Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish checksums with releases #16165

Open
alexeagle opened this issue Mar 14, 2024 · 6 comments
Open

Publish checksums with releases #16165

alexeagle opened this issue Mar 14, 2024 · 6 comments
Labels
packaging & distribution

Comments

@alexeagle
Copy link
Contributor

@comius points this out in https://github.com/bazelbuild/rules_proto/pull/205/files#r1524512758

Currently users of protobuf can download releases from https://github.com/protocolbuffers/protobuf/releases - however they have no way to guarantee that the bytes they downloaded are the same that were published. A man-in-the-middle attack could tamper with the binary, for example, injecting a supply-chain-security vulnerability into the generated protobuf stub code.

Like many GitHub-released projects, there ought to be a checksums.txt file included as an additional release asset. This could be in the form of a .sha256-suffixed file for each release artifact, like https://github.com/astral-sh/ruff/releases or (more convenient IMO) a single checksums.txt file like https://github.com/google/yamlfmt/releases
@alexeagle alexeagle added the untriaged auto added to all issues by default when created. label Mar 14, 2024
@sgammon
Copy link
Contributor

sgammon commented Mar 15, 2024

@alexeagle I'm in the build doing some refactoring and fixing (#16176 etc)... did you want to take this on? If not, I'll file it along with some other dependency security enhancements (SLSA, Sigstore, etc), in a stack of PRs so they can merge what they feel comfortable with. I've taken the same approach with Guava.

@alexeagle
Copy link
Contributor Author

@sgammon that would be great, but I suspect the release machinery here is hidden in google3. It would be good to get a 👍🏻 from the maintainers on an approach for this.

@epicseven-cup
Copy link

Hi, I was just about to post this question as well any updates on this?

@esorot
Copy link
Contributor

esorot commented Jul 9, 2024

Thanks for filing this issue. We've added it to our backlog to be prioritized.

@zhangskz
Copy link
Member

zhangskz commented Oct 1, 2024

Wouldn't any attack that could compromise the binaries also be able to just tamper with the checksums as well, if they live side-by-side? I think we would generally recommend setting sha256 (e.g. bazel http_archive) directly to prevent this type of case. LMK if there's something we're failing to consider here!

This is probably still a nice-to-have backlog task, but we're unlikely to get to this atm unless the priority changes.

@alexeagle
Copy link
Contributor Author

@zhangskz exactly, users should vendor the checksums to follow the principle of trust-on-first-use.

@JasonLunn JasonLunn removed the untriaged auto added to all issues by default when created. label Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
packaging & distribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@alexeagle @sgammon @JasonLunn @esorot @epicseven-cup @zhangskz