install.sh: check checksums file's signature

[martinetd]

What would you like to be added:

it'd be great if install.sh could verify releases a bit more thoroughly.

Why is this needed:

install.sh currently grabs the checksum file from github to check the download was correct, but this brings no value from a security perspective: both the checksums and the file are served from the same servers, so if a malicious actor can change the release binaries they can also update the checksums.

Additional context:

This is the third point of #519 - there doesn't seem to have been discussions about the signatures in there so I'm forking to a different issue to discuss more specifically this point (the branch pointed there talks about signature but it's since been merged so couldn't see what it contained, and the current install.sh still doesn't verify anything)

I also wasn't able to find where the checksums.txt.sig and checksums.txt.pem come from, so wasn't sure how to use them to check manually.
The .pem file looks like a base64 encoded, base64 encoded PEM file (no, I didn't stutter here - we can probably drop the external base64 encoding?)
The .sig file is just base64 encoded "data" without header, so it's not gpg? perhaps openssl cms? I didn't get that to work either..

But either way it looks like things are signed so it should be possible to check in install.sh -- ideally the caller could specify a fingerprint of the certificate as argument to install.sh, so the chain of trust would be:

• copying the install command with curl install.sh | sh -s -- --fingerprint foobarxyz
• install.sh fetches release binary, checksums file as usual
• if fingerprint given, also fetch checksum file's signature, and certificate (if not cached?); if no fingerprint is given this is security theater so there is no point in downloading this unless cached somewhere (TOFU)
  • verify certificate matches with given fingerprint
  • verify checksums file signature matches
• verify checksum & extract as currently done

[tgerla]

Hi @martinetd, thanks for the report! The .pem and .sig files come from a step in our build process that uses cosign to sign the checksum files of the binaries: https://github.com/anchore/syft/blob/main/.goreleaser.yaml#L263-L274

Here is one way you can verify the signatures using the cosign command:

cosign verify-blob {checksums_filepath} \
  --certificate {checksums_cert_file_path} \
  --signature {checksum_sig_file_path} \
  --certificate-identity-regexp "https://github/\.com/${OWNER}/${REPO}/\.github/workflows/.+" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com/"

There is also a PR against Grype to do this in the install.sh script, and it could probably be finished and ported over to Syft: anchore/grype#1670

Hopefully this helps!

[martinetd]

Thanks, I was able to verify locally.

I've commented on grype's PR and agree once it's ready it'll be easy to update syft as well, let's continue over there :)