feat: pin downloaded binaries with sha256 verification#362
Open
art049 wants to merge 2 commits into
Open
Conversation
Every binary the runner downloads at install time (the patched valgrind .deb, the memtrack/exec-harness/mongo-tracer installer scripts) is now SHA-256-pinned. URLs and expected hashes live together in a new `PinnedBinary` enum, and the download helper rejects the install if the bytes don't match. Bumping a pinned version requires updating both the version constant and the matching hash; CONTRIBUTING.md documents the regeneration workflow. Co-Authored-By: Claude <noreply@anthropic.com>
Merging this PR will not alter performance
|
Add a network-bound test that downloads each `PinnedBinary` variant (valgrind for every supported distro/arch combination, plus the three installer scripts) and asserts the bytes match the declared SHA-256 via `download_pinned_file`. Gated behind `GITHUB_ACTIONS` like the other network/sudo tests, so it runs in CI but is opt-in locally. This catches a stale or mistyped hash before the release rather than at install time on a user's machine. Document the local invocation in CONTRIBUTING.md alongside the regeneration workflow. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Every binary the runner downloads at install time (the patched valgrind
.deb, the memtrack installer, the exec-harness installer, the mongo-tracer installer) is now SHA-256-pinned. URLs and expected hashes live together in a newPinnedBinaryenum insrc/binary_pins.rs, and the download helper (download_pinned_file) rejects the install — and removes the partial file — if the bytes don't match the declared digest.Until now, the runner trusted whatever it pulled from GitHub releases / S3 to be the artifact that was published. That trust is implicit and we have no recovery if an artifact is replaced. Pinning the hashes alongside the version constants makes the supply-chain assumption explicit and verifiable at install time.
Bumping a pinned version now requires updating both the version constant and the matching
PinnedBinary::sha256arm — for valgrind, one hash per supported(distro_version, arch)combination.CONTRIBUTING.mdis updated with the regeneration workflow and the release checklist points at the new location.