Support authenticity verification for downloaded binaries #769
+604
−108
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes bazelbuild#15. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
* refactor `httputil.DownloadBinary` to download and store signature file * extract authenticity verification logic into a separate `VerifyBinary` function * perform authenticity verification in `downloadBazelIfNecessary`, after integrity check * it allows us to keep verification logic in one place * failure of authenticity check is clearly handled in the same way as failure of integrity check: downloaded Bazel left in CAS, but the mapping file is not created in metadata
…sabling of authenticity check
…itly using an alternative verification key. It can be useful if * the embedded verification key expired, but it's impossible to update bazelisk for some reason * Bazel is downloaded from the fork which uses an alternative PGP key
… because golang.org/x/crypto is deprecated and unmaintained See https://pkg.go.dev/golang.org/x/crypto/openpgp for details
valco1994
force-pushed
the
authenticity-verification
branch
from
60da2d9 to
9d67949
Compare
valco1994
force-pushed
the
authenticity-verification
branch
2 times, most recently
from
0117588 to
989125c
Compare
…o:embed to make it available in the source code
valco1994
force-pushed
the
authenticity-verification
branch
from
989125c to
bb6e9ad
Compare
Contributor
Author
|
@philwo, @meteorcloudy, @fweikert, please, take a look at it. |
Contributor
Author
|
It would be ok, if this PR is reviewed deeply after #192, because it's initially based on #192. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bazel publishes detached signature files together with binaries and source code for each release.
It looks like bazelisk could guarantee much better security if it verifies the corresponding signatures for downloaded artifacts. This functionality was requested more than 7 years ago in #15.
There were a couple of attempts to implement this feature - #17, #192. But none of them was accepted after all.
I decided to take #192 from @PiotrSikora as the base, because an approach with signature verification in the code looks much more attractive than launching external tools. I reworked it quite drastically and supported additional features, so it's possible to skip verification or provide an alternative verification key now.
I also switched from
golang.org/x/cryptotogithub.com/ProtonMail/gopenpgp/v3, becausegolang.org/x/crypto/openpgpis deprecated and unmaintained (see https://pkg.go.dev/golang.org/x/crypto/openpgp for details).