Reproducible build, checksum verification of external dependencies

[mgmax]

Some parts of the build process download external dependencies without verifying a checksum. This means that if any of our external dependencies or their download server is compromised, the next VisiCut build will automatically pick this up.

Good example:
Download of JDK for Windows/Mac setup.

VisiCut/distribute/distribute.sh

Line 111 in 8797012

echo "$hash $downloaded_file" | sha256sum -c

Insufficiently checked parts:

• Maven dependencies. This is tricky, see
  • https://stackoverflow.com/questions/3307146/verification-of-dependency-authenticity-in-maven-pom-based-automated-build-syste
  • https://issues.apache.org/jira/browse/MNG-6026
  • Possible solution: https://github.com/chains-project/maven-lockfile
• pyuploadtool:

  VisiCut/.github/workflows/github-build.yml

  Line 63 in 8797012

  wget https://github.com/TheAssassin/pyuploadtool/releases/download/20231223-1/pyuploadtool-x86_64.AppImage

  (introduced in Release with GitHub actions #710)
• appimagecraft pip git (only weak SHA1 hash, and only a short part of it)

  VisiCut/distribute/Dockerfile

  Line 16 in 8797012

  python3 -m pip install git+https://github.com/TheAssassin/appimagecraft.git@6b36fda#egg=appimagecraft

• downloads by appimagecraft itself, e.g., https://github.com/TheAssassin/appimagecraft/blob/6b36fda05d50b356024bd3b12ca426ba73fe334b/appimagecraft.yml#L13 (only relevant for AppImage build, not for other package types)

[TheAssassin]

I think you might be a little too concerned in this regard. In the software industry "downloaded from a static GitHub URL" is even sufficient. It's rather unlikely that someone would manage to work around all the security features (TLS, HSTS even). I can relate to the wish for a static build so that new ones don't break things (even if that is rather uncommon in the world of AppImages, for instance), but checking hashes is a bit over the top.

Edit:

only weak SHA1 hash, and only a short part of it

Of couurse, the hash is not a security measure. It's just to install the right "version", not to make sure it wasn't tampered. You'd have to build your own thing there to reliably install this.

[mgmax]

Regarding "static GitHub URL": Anyone with sufficient access to the dependency repository could change the content of the release artifact, and then we would silently download and run that new content. No need to hack GitHub :-)

[TheAssassin]

Sure, but then again we trust these projects to have proper access control in place.