tools: log and check shasum of archive file #48088
Conversation
|
Although it doesn't reduce the risk of downloading a tampered package to 0 (if someone changed the archive can also change the checksum to match) I see it a good practice! @nodejs/security-wg |
To be clear, when I suggested logging checksums, it was not meant as a security mechanism. I only want them logged so that we can better audit our buggy update scripts. Checking is optional IMHO, |
|
|
||
| ADA_REF="v$NEW_VERSION" | ||
| ADA_ZIP="ada-$NEW_VERSION.zip" | ||
| ADA_ZIP="ada-$ADA_REF.zip" |
There was a problem hiding this comment.
why this change? It doesnt seem related to the PR
There was a problem hiding this comment.
For consistency with the other deps that logs the checksum in the format SHA256 (packagename-v1.0.0.zip) = abc123 for e.g. SHA256 (ada-v2.4.2.zip) = 1c1d96f27307b6f7bd21af87d10d528207f44e904f77a550837037e9def06607
| OPENSSL_TARBALL="openssl-v$OPENSSL_VERSION.tar.gz" | ||
| curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/openssl-$OPENSSL_VERSION" | ||
| log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL" | ||
| gzip -dc "$OPENSSL_TARBALL" | tar xf - |
There was a problem hiding this comment.
Out of curiosity, why the explicit gzip processes instead of tar z?
There was a problem hiding this comment.
It's more portable. Some non-GNU versions of tar (e.g. on AIX) do not support -z.
There was a problem hiding this comment.
I see. I assumed these would only have to work under ubuntu-latest compatible systems, but if we want to aim for portability with other systems, that makes sense. FWIW, the command I suggested (sha256sum --tag) also won't work with some non-GNU systems (yet I prefer it over the more portable output format).
|
pr for histogram dep_updater : #48171 |
tniessen
added
author ready
nodejs-github-bot
removed
the
commit-queue
|
Landed in 847b9e0 |
PR-URL: nodejs#48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: #48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: #48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#48088 Refs: nodejs/security-wg#973 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
7 participants
As discussed here, there is the need to log the
sha256sumfor the external dependencies. With this PR in addition to log thechecksum, we also check it's validity and eventuallyexitwith an error. If the check is out of scope, of course I can just leave the log.I started with
nghttp2and when everything is ok I continue with the other depsRefs: nodejs/security-wg#973