-
Notifications
You must be signed in to change notification settings - Fork 931
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request: Integrity verification of dependencies #5668
Comments
Doesn't Coursier already do checksum validation? |
If the checksum is downloaded from the server then it doesn't count as "integrity" check, since a man-in-the-middle or compromised server can send a checksum that matches the compromise.
Signatures are better, because only the publisher can change them. So, it eliminates server and man-in-the-middle attacks. However, the publisher itself could become compromised over time. What I am proposing (and it's not an original idea by any means), is to let the sbt user specify the checksum in their project. This eliminates all three vectors: MITM, server compromise and publisher compromise. There is still a one-time-risk involved in calculating the checksum the first time. This can be mitigated in various ways like manual or automated functional verification. But after the checksum is committed to a repo, it protects against all future attacks. |
ok. Before we go too deep into the solution space, maybe we should clarify the attack vectors that this intends to protect against.
|
|
I would like the ability to verify that any artifact downloaded by sbt is as I expect it to be, before it gets used. This prevents man-in-the-middle attacks as well as malicious payloads from a compromised server.
Specifying a checksum for each dependency is one way to enable this.
Gradle has a plugin for this: checksum-dependency-plugin. That README describes the use-case very eloquently, so I won't repeat it here.
NPM also has support for this. The integrity properties are defined in package-lock.json.
There appears to be a sbt-plugin that does this https://github.com/josephearl/sbt-verify. However, it is not updated frequently. In any case, it would be nice to have this support in sbt itself. A plugin that gets downloaded could be compromised and would defeat its own purpose.
PS. I am sorry for not using discourse.lightbend. The website is not working for me.
The text was updated successfully, but these errors were encountered: