sbt-pgp icon indicating copy to clipboard operation
sbt-pgp copied to clipboard

Published 20 hours ago verified publisher icon sbt

How to bootstrap and verify sbt plugins?

Open graingert opened this issue 8 years ago • 8 comments

There should be a tutorial on how to download and verify sbt-pgp and another other build plugins before sbt runs (and a malicious plugin stops sbt-pgp from working)

graingert avatar May 12 '16 09:05 graingert

Good question. I think it may be (barely) possible for us to do that. We would actually need to include ourselves VERY EARLY in the sbt load process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n

jsuereth avatar May 12 '16 19:05 jsuereth

Imagine all the people living life in peace (using sbt-pgp as part of mothership instead of a plugin).

eed3si9n avatar May 12 '16 19:05 eed3si9n

I imagine this being a tar.gz that directly patches sbt or is integrated directly. On 12 May 2016 8:19 pm, "Josh Suereth" [email protected] wrote:

Good question. I think it may be (barely) possible for us to do that. We would actually need to include ourselves VERY EARLY in the sbt load process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/sbt/sbt-pgp/issues/91#issuecomment-218858644

graingert avatar May 12 '16 19:05 graingert

What's sbt mothership? On 12 May 2016 8:42 pm, "Thomas Grainger" [email protected] wrote:

I imagine this being a tar.gz that directly patches sbt or is integrated directly. On 12 May 2016 8:19 pm, "Josh Suereth" [email protected] wrote:

Good question. I think it may be (barely) possible for us to do that. We would actually need to include ourselves VERY EARLY in the sbt load process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/sbt/sbt-pgp/issues/91#issuecomment-218858644

graingert avatar May 12 '16 19:05 graingert

It's a term I use sometimes to refer to sbt, as opposed to the plugins. I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

eed3si9n avatar May 12 '16 19:05 eed3si9n

The signature verification parts of sbt-pgp only make sense if they can verify plugins before they are loaded and as such cannot work without being patched into sbt or included in 'mothership' On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins. I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/sbt/sbt-pgp/issues/91#issuecomment-218867347

graingert avatar May 12 '16 20:05 graingert

You could create a new addSbtPlugin function eg addSbtPlugin(plugin: Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger [email protected] wrote:

The signature verification parts of sbt-pgp only make sense if they can verify plugins before they are loaded and as such cannot work without being patched into sbt or included in 'mothership' On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins. I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/sbt/sbt-pgp/issues/91#issuecomment-218867347

graingert avatar May 12 '16 21:05 graingert

I guess you could import sbt-pgp after manually adding it to your classpath.

Thomas Grainger

On 12 May 2016 at 22:08, Thomas Grainger [email protected] wrote:

You could create a new addSbtPlugin function eg addSbtPlugin(plugin: Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger [email protected] wrote:

The signature verification parts of sbt-pgp only make sense if they can verify plugins before they are loaded and as such cannot work without being patched into sbt or included in 'mothership' On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins. I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/sbt/sbt-pgp/issues/91#issuecomment-218867347

graingert avatar May 12 '16 21:05 graingert