foundry icon indicating copy to clipboard operation
foundry copied to clipboard
verified publisher icon foundry-rs

feat(`foundryup`): verify hashes of downloaded binaries upon install

Open zerosnacks opened this issue 6 months ago • 1 comments

Component

Foundryup

Describe the feature you would like

In our release attestation flow: https://github.com/foundry-rs/foundry/attestations/7708816 we can download the a foundry-rs-foundry-attestation-7708797.sigstore.json

This is connected to commit: ac0411d0e3b9632247c9aea9535472eda09a57ae

jq -r '.dsseEnvelope.payload | @base64d | fromjson | .subject[] | "\(.name): \(.digest.sha256)"'  foundry-rs-foundry-attestation-7708797.sigstore.json

This yields:

anvil: 8a70bef5777e6d6d75a1c63a4d89e3e17c374d6e7973820ba8925069400f6e80
cast: 84434b4ac2e270fbe696f241b6b534cfeda5cf58018cb712ddc74d18347e345e
chisel: 6a93474d0bdb0adbdda3bd352056ef023c238a33eff2e2e896c541cb948f71db
forge: 5d2737eba535cd5773da8f0e03f23abd3ff708774a1ced41f53257269c34ff2a

This can be locally verified by running: shasum -a 256 <path/to/binary>

8a70bef5777e6d6d75a1c63a4d89e3e17c374d6e7973820ba8925069400f6e80  /Users/zerosnacks/.foundry/bin/anvil
84434b4ac2e270fbe696f241b6b534cfeda5cf58018cb712ddc74d18347e345e  /Users/zerosnacks/.foundry/bin/cast
6a93474d0bdb0adbdda3bd352056ef023c238a33eff2e2e896c541cb948f71db  /Users/zerosnacks/.foundry/bin/chisel
5d2737eba535cd5773da8f0e03f23abd3ff708774a1ced41f53257269c34ff2a  /Users/zerosnacks/.foundry/bin/forge

When these two are matching users can be confident the binaries have been produced by our CI.

The challenge and requirement is that we need a good way to connect the release to the attestation, extract the sha256 hashes without additional dependencies and validate without additional dependencies.

jq should technically not be necessary and an equivalent of shasum is available on all operating systems

Additional context

No response

zerosnacks avatar Jun 11 '25 09:06 zerosnacks

can be coupled with https://github.com/foundry-rs/foundry/issues/9519 by checking hashes of existing binaries

grandizzy avatar Jun 11 '25 11:06 grandizzy

Continuing on this to find out what next steps are.

As discussed, going to run a nightly release against: https://github.com/foundry-rs/foundry/compare/master...grandizzy/attestation-url

This should create an *.attestation.txt file we can then make assertions against in foundryup

zerosnacks avatar Jul 02 '25 10:07 zerosnacks

yep, running release workflow from the branch won't replace nightly but build a new release with branch name so should be safe to test

grandizzy avatar Jul 02 '25 10:07 grandizzy

Perfect, running here: https://github.com/foundry-rs/foundry/actions/runs/16023228220

zerosnacks avatar Jul 02 '25 10:07 zerosnacks