sentry-cli
sentry-cli copied to clipboard
getsentry
Add hashsums to release artifacts
Hello there,
it would be great if you could add hashsums or even better hashsums and sboms with signatures next to the release artefacts. that would enable users to validate the files consistency and detect if they were tempered with.
thanks 😃
Hi @loewenheim ,
here for example: https://github.com/getsentry/sentry-cli/releases/tag/2.21.2 or if this is better next to the CDN download location that is noted in the docs that this would be fine as well but still needs to be documented: https://release-registry.services.sentry.io/apps/sentry-cli/...
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@loewenheim could you maybe add the status backlog label here so the bot does not autoclose it?
@loewenheim is there any decision where the hashes should be? do you accept PRs for this?
Hi @Lerentis, I recently took over maintaining the Sentry CLI from @loewenheim.
I understand your request; however, I am unsure how useful it would be to add hash sums to the release artifacts we publish to GitHub. I believe the downloads from GitHub occur over an HTTPS connection, which should already provide protection against tampering during the download.
Could you please explain the benefit of providing hash sums when the download already occurs over an encrypted connection?
Hi @szokeasaurusrex ,
this goes more in the direction of securing the supply chain. if TLS would be sufficient there would not be projects like cosign or the SLSA framework :sweat_smile: here is one more practical example where hashsums would already be sufficient:
imagine a bad configured proxy in some environments that would claim the TCP stream to have finished but some packages are just lost, resulting in a corrupted file and lots of frustration. provided hash sums could help validate file integrity.
Okay, @Lerentis, thank you for explaining.
In that case, I will keep this issue open on our backlog. It may take me some time to get around to implementing the change; however, we would gladly accept PRs from contributors.
The simplest way to implement this change would be by simply placing the SHA checksum of each file in the release into a single checksums.txt file, that we include with the GitHub release.
Hi @Lerentis, apparently we already list the build checksums on our Sentry CLI docs page. Is this list sufficient for your use case? If so, we can close this issue.
Hi @szokeasaurusrex ,
this is a rather ugly file format because of the - in the json file but i could make it work.
FROM ubuntu:24.04
ARG SENTRY_CLI_VERSION=2.32.1
RUN set -eux; \
apt-get update; \
apt-get dist-upgrade -y; \
apt-get install -y \
curl \
jq
RUN set -eux; \
ARCH="$(dpkg --print-architecture)"; \
case "${ARCH}" in \
aarch64|arm64) \
SENTRY_DOWNLOAD_URL="https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}?response=download&arch=aarch64&platform=Linux&package=sentry-cli"; \
SENTRY_HASHSUM=$(curl "https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}" | jq -r '.files."sentry-cli-Linux-aarch64".checksums."sha256-hex"');\
;; \
amd64|x86_64) \
SENTRY_DOWNLOAD_URL="https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}?response=download&arch=x86_64&platform=Linux&package=sentry-cli"; \
SENTRY_HASHSUM=$(curl "https://release-registry.services.sentry.io/apps/sentry-cli/${SENTRY_CLI_VERSION}" | jq -r '.files."sentry-cli-Linux-x86_64".checksums."sha256-hex"');\
;; \
*) \
echo "Unsupported arch: ${ARCH}"; \
exit 1; \
;; \
esac; \
curl -L "${SENTRY_DOWNLOAD_URL}" -o sentry-cli; \
echo "${SENTRY_HASHSUM} sentry-cli" | sha256sum -c; \
mv sentry-cli /usr/local/bin/sentry-cli; \
chmod +x /usr/local/bin/sentry-cli; \
it would be way cleaner if there would be one hashsum file for each artifact like infracost is doing or something similar to crane or terragrunt. all of them are using standard formats that can be verified with the sha256sum binary without the need to script around it:
FROM ubuntu:24.04
ARG TERRAGRUNT_VERSION=v0.58.14
RUN set -eux; \
apt-get update; \
apt-get dist-upgrade -y; \
apt-get install -y \
curl \
jq
RUN set -eux; \
ARCH="$(dpkg --print-architecture)"; \
case "${ARCH}" in \
aarch64|arm64) \
TERRAGRUNT_BINARY="terragrunt_linux_arm64"; \
;; \
amd64|x86_64) \
TERRAGRUNT_BINARY="terragrunt_linux_amd64"; \
;; \
*) \
echo "Unsupported arch: ${ARCH}"; \
exit 1; \
;; \
esac; \
curl -L "https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/${TERRAGRUNT_BINARY}" -o "${TERRAGRUNT_BINARY}"; \
curl -L "https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/SHA256SUMS" -o SHA256SUMS ;\
sha256sum -c SHA256SUMS --ignore-missing;\
mv ${TERRAGRUNT_BINARY} /usr/local/bin/terragrunt; \
chmod +x /usr/local/bin/terragrunt;
@Lerentis, so to be clear, you are able to work around this using the hash sums in the release registry? Adding the hash sums next to the artifacts would simply be more convenient, but you are not blocked by this, right?
@szokeasaurusrex i can confirm that i could make it work and this is not blocking. the improvement would be to use a standard format that is readable by the sha256sum binary instead of this json object. the location does not matter
Okay, thank you for the clarification @Lerentis – we will keep this issue open on our backlog, but since there is a workaround we will assign it low priority, so it will likely take a while for us to fix this.
We accept community PRs, so if you would like this issue to be resolved more quickly, please feel free to submit a PR 🙂