rebar3 icon indicating copy to clipboard operation
rebar3 copied to clipboard

Published 20 hours ago verified publisher icon erlang

are there checksum available ?

Open ilia-shipitsin opened this issue 8 months ago • 4 comments

hello,

small question from github runner images team. we are looking for improving supply chain security.

are there checksums or some other integrity validation recommended ?

cheers

ilia-shipitsin avatar Oct 13 '23 11:10 ilia-shipitsin

If you mean checksums available for the builds created by Rebar3, we do maintain checksums for dependencies's sources in the lock file, and Erlang has an option you can supply to make builds deterministic. We do not compute a checksum for the artifacts created however, only on the elements used to define the final build with the assumption that a repeatable build yields a repeatable result.

If you mean for the rebar3 binaries themselves, then no, we currently do not create these. Do you know if the build is obtained from github or from the s3 bucket? Neither has checksums published but I'm curious either way.

That being said, the artifacts we build both to S3 and github themselves are all automated. I guess a checksum could protect you from a third-party later changing the file in its final storage location, but as far as I can tell doing that without the ability to also update the checksum on similar storage is unlikely. I could imagine making it easier to invalidate cached copies at least.

ferd avatar Oct 13 '23 12:10 ferd

thank you!

I've forgotten to mention, we are looking for rebar3 binaries validation. we download them from GitHub releases, but we usually try to download from the location officially proposed by project, we can change to S3 if needed.

I understand that idea to keep checksums together with binaries is not the best one. We are fine to download checksums from whatever location the project suggests. for each tool we track both URL and checksum validation (it maybe some URL or something else)

ilia-shipitsin avatar Oct 13 '23 12:10 ilia-shipitsin

We haven't set that up at all, but I assume we could as part of automation. S3 generally contains only the latest main build, so github is likely the better place to do it, given we already automate part of the release process in https://github.com/erlang/rebar3/blob/a16f41aef7f004394f761f1dae108231ca0ec76e/.github/workflows/publish.yml#L24-L33

I'll try and find time to prototype this workflow somewhere for the next builds, chances are I'd have to either do it as an extra attached file (https://github.com/erlang/rebar3/blob/a16f41aef7f004394f761f1dae108231ca0ec76e/.github/workflows/publish.yml#L35-L44) which could just be called rebar3.checksum.

Do you have any preferences in terms of algorithms?

ferd avatar Oct 13 '23 14:10 ferd

SHA256 / SHA512 are approved by our security team

ilia-shipitsin avatar Oct 13 '23 14:10 ilia-shipitsin