Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update patch manager to check signature on boot #171

Merged
merged 19 commits into from
May 23, 2024
Merged

feat: update patch manager to check signature on boot #171

merged 19 commits into from
May 23, 2024

Conversation

bryanoltman
Copy link
Contributor

Description

Update PatchManager to, if a public key is present, verify the signature of an inflated patch's hash before booting the patch.

Type of Change

  • ✨ New feature (non-breaking change which adds functionality)
  • 🛠️ Bug fix (non-breaking change which fixes an issue)
  • ❌ Breaking change (fix or feature that would cause existing functionality to change)
  • 🧹 Code refactor
  • ✅ Build configuration change
  • 📝 Documentation
  • 🗑️ Chore

@codecov Codecov
Copy link

codecov bot commented May 21, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.50%. Comparing base (908e231) to head (7bdd0d6).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #171      +/-   ##
==========================================
+ Coverage   96.27%   96.50%   +0.23%     
==========================================
  Files          28       29       +1     
  Lines        3191     3402     +211     
==========================================
+ Hits         3072     3283     +211     
  Misses        119      119
Flag Coverage Δ
library 98.04% <100.00%> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

eseidel
eseidel reviewed May 21, 2024
View reviewed changes
library/src/cache/patch_manager.rs Outdated
Comment on lines 237 to 249
if let Some(public_key) = &self.patch_public_key {
// If we have a public key, verify that the patch has a signature
let patch_signature = patch
.signature
.clone()
.context("Patch signature is missing")?;

// Check that the signature is valid.
let patch_hash = signing::hash_file(&artifact_path)?;
signing::check_signature(&patch_hash, &patch_signature, public_key)?;
} else {
info!("No public key provided, skipping signature verification");
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure where the hash check is.

I would expect the process to be:

  1. If we have a public key, check the signature on the hash matches.
  2. Hash the patch
  3. Check the hash matches.

Presumably that's already being done, just spread across other methods?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure where the hash check is.

We don't currently check the hash for equality, and I'm not sure we need to—any change to the hash would cause the signature to become invalid.

The process is:

  1. If we have a public key, hash the patch file
  2. Check that the signature matches the hash

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I/we need to write out exactly what we're singing in plain language. Maybe I'll add that to my in-progress blog post tomorrow.

Base automatically changed from bo/store-patch-signature to main May 22, 2024 14:00
@bryanoltman bryanoltman requested a review from eseidel May 23, 2024 15:21
eseidel
eseidel reviewed May 23, 2024
View reviewed changes
library/src/cache/signing.rs Outdated
Comment on lines 39 to 44
let decoded_sig = match base64::prelude::BASE64_STANDARD.decode(signature) {
Ok(sig) => sig,
Err(e) => {
bail!("Failed to decode signature: {:?}", e);
}
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just .context()?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or .map_err()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly could be, let me see if there's a way to include the error message in a .context

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

map_err works, just had to use anyhow's Error type, which is what is "thrown" by bail!:

    let decoded_sig = base64::prelude::BASE64_STANDARD
        .decode(signature)
        .map_err(|e| anyhow::Error::msg(format!("Failed to decode signature: {:?}", e)))?;

@bryanoltman bryanoltman merged commit 390aa49 into main May 23, 2024
8 checks passed
@bryanoltman bryanoltman deleted the bo/patch_manager_check_signature branch May 23, 2024 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eseidel eseidel eseidel approved these changes

@erickzanardo erickzanardo erickzanardo approved these changes

@felangel felangel Awaiting requested review from felangel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bryanoltman @eseidel @erickzanardo