bazelisk icon indicating copy to clipboard operation
bazelisk copied to clipboard

Published 20 hours ago verified publisher icon bazelbuild

Downloads should be validated

Open pmuetschard opened this issue 6 years ago • 12 comments

The .bazelversion file should allow developers to specify the SHAs of the files downloaded so that we can rest easy knowing that the bazel used by bazelisk is, well, not tainted.

pmuetschard avatar Oct 30 '19 19:10 pmuetschard

Nice idea and probably easier to implement than https://github.com/bazelbuild/bazelisk/pull/17. :)

philwo avatar Oct 31 '19 12:10 philwo

Oooh, I like the idea behind #17! It "automates" some of the work. Sorry, I filed this bug with a solution in mind rather than just asking for what I want... The title of the bug ("Downloads should be validated") is what I'd like, my comment above is a suggestion on how to do it and can be ignored :)

Maybe someone more versed in these things can guide you on whether #17 is enough or if pinning SHAs is "more secure" as it would protect against the bazel key being compromised.

pmuetschard avatar Oct 31 '19 16:10 pmuetschard

@philwo @alexeagle Just wanted to see if this is in the current work queue for your team. It would probably block any wide-spread adoption of bazelisk within our company. Thanks!

valeraz avatar Feb 21 '20 21:02 valeraz

My browser is refusing to download the most recent version of of Bazelisk on Windows - it says a virus was detected. Has the download been tainted? image

rayhoffmann-ANSYS avatar Sep 17 '20 19:09 rayhoffmann-ANSYS

@rayhoffmann-ANSYS Thanks for letting me know. We had false positives with Chrome’s malicious binary checking in the past and I had to escalate them with the team to get them removed from there. But I’ll inspect this personally just to make sure!

Could you let me know whether you’re running a virus scanner and if yes which one on your computer?

philwo avatar Sep 17 '20 19:09 philwo

I checked https://github.com/bazelbuild/bazelisk/releases/download/v1.6.1/bazelisk-windows-amd64.exe with virustotal.com and it came back all green (nothing detected). I’d assume a false positive, but would still like to resolve this. Any details about your virus scanner that complained about the binary would be welcome.

philwo avatar Sep 17 '20 19:09 philwo

We had McAfee installed on our computers. Windows Defender is running. I don't know what scanner detected on download like that though...

rayhoffmann-ANSYS avatar Sep 17 '20 19:09 rayhoffmann-ANSYS

Hi @philwo, we are having the same issue as reported by @rayhoffmann-ANSYS. See here: https://www.virustotal.com/gui/file/eed3dd5ee2433275eab79f999276a7cc5d082a0360c439cb370183eaa94fc293/detection. I just tried uploading the latest windows binary and it comes back as green: https://www.virustotal.com/gui/url/494f82b50db61451cc09367b664dfb061ee22bb7fed9c641590fbf77a156c2c8/detection, strange.

freddd avatar Sep 21 '20 08:09 freddd

@freddd Which version was the file that comes back red? Do you still have it?

Oh, now I get it - if you upload the file it's red, but if you pass the URL in, it's green. Weird. 🤔 I'm looking into this.

philwo avatar Sep 21 '20 14:09 philwo

OK, I figured it out. Apparently Go binaries that are built for Windows often result in false positives:

  • https://golang.org/doc/faq#virus
  • https://groups.google.com/g/golang-nuts/c/Au1FbtTZzbk

Especially when you use LDFLAGS="-s -w", which I did in Bazelisk to reduce the binary size. It seems like with Bazelisk 1.6.1 I just got really unlucky and a lot of virus scanners believe they see something malicious in that binary, but it really is just something common to many Go binaries.

Here's my recommendation:

  • I'll remove the LDFLAGS from the Windows binaries for future releases, which means they'll grow ~2 MB, but at least it should reduce the chance of false positives.
  • For Bazelisk 1.6.1 you could reproduce the binaries on your own machine to ensure that I haven't accidentally put a virus in them.

Bazelisk 1.6.1 as downloaded from GitHub has this SHA256: eed3dd5ee2433275eab79f999276a7cc5d082a0360c439cb370183eaa94fc293.

Repro instructions:

I'm using a MacBook Pro (macOS 10.15.6), in case this matters - I'm not sure.

$ git clone https://github.com/bazelbuild/bazelisk.git
$ cd bazelisk
$ git fetch --tags
$ git checkout v1.6.1
$ ./build.sh
$ sha256sum bin/bazelisk-windows-amd64.exe 
eed3dd5ee2433275eab79f999276a7cc5d082a0360c439cb370183eaa94fc293  bin/bazelisk-windows-amd64.exe

If you also get the same hash, it's proven that the release binary was built from the unmodified sources of the tag v1.6.1.

philwo avatar Sep 21 '20 16:09 philwo

Bazelisk v1.7.1 contains the workaround and is now "only" flagged by three scanners on virustotal.com:

image

Unfortunately Microsoft is one of them, which I guess might cause trouble. 😞 I'll try to send this to them for analysis so that they can update their signatures to not mark this file.

philwo avatar Oct 06 '20 14:10 philwo

I thin #17 is not really bazel-ly. It would be nice to be able to checking a list of known SHA256 for corresponding bazel versions downloaded by bazelisk.

That would helps shops with their own patched bazel releases to use bazelisk without having to bother about gpg sig.

I also see that #17 is quite stale. How keen are you to review/merge an MR for SHA256 verify?

sluongng avatar Feb 07 '21 21:02 sluongng