New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
monero wallet-rpc: check binaries sha256sum #673
Comments
Yes sounds like a good idea! Would definitely accept a PR that implements this. As for the actual implementation, doing as much as possible in pure Rust would be preferable, i.e. we don't want to rely on the use having |
Seems difficult to accomplish this with the current "decompress as the file is downloaded" behavior. xmr-btc-swap/swap/src/monero/wallet_rpc.rs Lines 234 to 237 in c3b474d
|
@ikmckenz maybe look into separating the download and decompress stages? |
That's fine with me, but we might lose this "decompress as download is still happening" trick. Not that it's super important I guess, this download is a one time setup related thing. |
Yeah. And since the hashes come from the same domain, we would also have to verify the pgp signature. |
Since https://www.getmonero.org/downloads/hashes.txt only has the most recent releases hashes and we are rarely on the most recent copy of the cli, I propose just hardcoding the hashes for the version we use in the code and checking against that. Still offers protection of hash check, without needing to add even more complexity for pgp verification (can be done by developers on updating). |
After downloading the binaries (in case we don't see them in the filesystem already)
xmr-btc-swap/swap/src/monero/wallet_rpc.rs
Line 84 in 4212504
there are no checks for integrity being performed, but I believe it'd be best if we did - sure, downloading over HTTPS would indeed guarantee that we're not getting anything that's not coming from the servers we trust (as long as we trust the root CAs), but ideally we should make sure they are also what we expect them to be: the exact contents are reproducibly built by the community (e.g., see https://github.com/monero-project/gitian.sigs/blob/master/v0.17.2.0-linux/selsta/monero-linux-0.17-build.assert), not just what's said to be true by the
getmonero.org
servers.My recommendation:
reqwest
downloads the contents and before the extraction, pipe those bytes through sha256sum and checkWdyt?
thx!
The text was updated successfully, but these errors were encountered: