Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates should be cryptographically signed #25

Closed
cbarcenas opened this issue Oct 6, 2015 · 2 comments
Closed

Updates should be cryptographically signed #25

cbarcenas opened this issue Oct 6, 2015 · 2 comments
Labels
help wanted

Comments

@cbarcenas
Copy link

Currently, swim update blindly fetches an upstream version of the script from https://raw.githubusercontent.com/dawsonbotsford/swim/master/swim. This is very bad as a compromise of the repository would allow an attacker to execute arbitrary code on swim users' computers. Cryptographic signature-checking of downloaded updates should be implemented to mitigate this risk
@dawsbot
Copy link
Owner

dawsbot commented Oct 6, 2015

Not sure how this would be done without implementing the builtin hash checking abilities of npm (or similar package manager). Which is absolutely a possiblity. Care to give this a try or to link me to a relevant article of how this is done for bash scripts?

@dawsbot
Copy link
Owner

dawsbot commented Mar 3, 2016

Not going to be accomplishing this in the near future without a rewrite of swim

@dawsbot dawsbot closed this as completed Mar 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbarcenas @dawsbot