-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin manager should validate the SHA, where possible #12750
Comments
Implementation detail: When running Impl: We simply should GET that URL as well...
Not sure if we need command line parameters like |
@spinscale I'm looking at this, it looks like we don't actually provide sha1 or md5 files for our own plugins? I am just curious if there's an already-available plugin I can use for manual testing of this. |
Also, I guess nevermind on our own plugins, I can run a local server and test it with a URL that way, I was just curious if we already hosted the checksum files. |
no, this is since 2.0... |
When a plugin is downloaded, this change additionally tries to download `${pluginurl}.sha1` and verify the SHA1 checksum for the file. If no .sha1 file is found, it tries `${pluginurl}.md5`. Note that if neither checksum file is found, a notice is printed but the plugin can still be installed. If the checksum check fails, the plugin install is aborted. Example output if no checksums are available: ``` bin/plugin install elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT -> Installing elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT... Trying http://download.elastic.co/elasticsearch/elasticsearch-analysis-icu/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying http://search.maven.org/remotecontent?filepath=elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://oss.sonatype.org/service/local/repositories/releases/content/elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip ... Downloading .....................................DONE Verifying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip checksums if available ... NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify) ``` Example output if checksums are available: ``` bin/plugin install elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT -> Installing elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT... Trying http://download.elastic.co/elasticsearch/elasticsearch-analysis-icu/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying http://search.maven.org/remotecontent?filepath=elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://oss.sonatype.org/service/local/repositories/releases/content/elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip ... Downloading .....................................DONE Verifying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip checksums if available ... Downloading .DONE ``` Example output if checksums fail: ``` bin/plugin install elasticsearch/elasticsearch-analysis-kuromoji/2.5.0 -url http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip -> Installing elasticsearch/elasticsearch-analysis-kuromoji/2.5.0... Trying http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip ... Downloading .............................................DONE Verifying http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip checksums if available ... Downloading .DONE ERROR: incorrect hash, file hash: [dbdc9c2cd32782054497a21fbdcae3ca1ff23c80], expected: [dbdc9c2cd32782054497a21fbdcae3ca1ff23c80-bad] ``` Resolves elastic#12750
When a plugin is downloaded, this change additionally tries to download `${pluginurl}.sha1` and verify the SHA1 checksum for the file. If no .sha1 file is found, it tries `${pluginurl}.md5`. Note that if neither checksum file is found, a notice is printed but the plugin can still be installed. If the checksum check fails, the plugin install is aborted. Example output if no checksums are available: ``` bin/plugin install elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT -> Installing elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT... Trying http://download.elastic.co/elasticsearch/elasticsearch-analysis-icu/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying http://search.maven.org/remotecontent?filepath=elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://oss.sonatype.org/service/local/repositories/releases/content/elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip ... Downloading .....................................DONE Verifying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip checksums if available ... NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify) ``` Example output if checksums are available: ``` bin/plugin install elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT -> Installing elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT... Trying http://download.elastic.co/elasticsearch/elasticsearch-analysis-icu/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying http://search.maven.org/remotecontent?filepath=elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://oss.sonatype.org/service/local/repositories/releases/content/elasticsearch/elasticsearch-analysis-icu/2.6.0-SNAPSHOT/elasticsearch-analysis-icu-2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/2.6.0-SNAPSHOT.zip ... Trying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip ... Downloading .....................................DONE Verifying https://github.com/elasticsearch/elasticsearch-analysis-icu/archive/master.zip checksums if available ... Downloading .DONE ``` Example output if checksums fail: ``` bin/plugin install elasticsearch/elasticsearch-analysis-kuromoji/2.5.0 -url http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip -> Installing elasticsearch/elasticsearch-analysis-kuromoji/2.5.0... Trying http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip ... Downloading .............................................DONE Verifying http://localhost:8000/elasticsearch-analysis-kuromoji-2.5.0.zip checksums if available ... Downloading .DONE ERROR: incorrect hash, file hash: [dbdc9c2cd32782054497a21fbdcae3ca1ff23c80], expected: [dbdc9c2cd32782054497a21fbdcae3ca1ff23c80-bad] ``` Resolves #12750
The plugin manager should perform SHA sum validation when available. If there is a shasum file in a specific location with a specific naming pattern, we can verify the sum after download.
The text was updated successfully, but these errors were encountered: