Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify checksums transparently by storing checksums in registries #2665

Open
suzuki-shunsuke opened this issue Feb 5, 2024 · 5 comments
Open

Comments

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Feb 5, 2024

Feature Overview

Store checksums in registries and verify checksums.

Why is the feature needed?

As you know, aqua has the feature for checksum verification.

https://aquaproj.github.io/docs/reference/security/checksum/

This is very awesome, but this feature is disabled by default.
I think it's difficult to enable this feature by default because to enable this feature in Git projects users need to manage aqua-checksums.json with Git, which means users need to update aqua-checksums.json continuously.
We provide GitHub Actions and CircleCI Orb to automate the update of aqua-checksums.json,
but I don't think most of users set up them.
Unfortunately, I don't think most of users are so interested in the checksum verification.

⚠️ This is just my expectation, so maybe this is wrong.

So I don't think most people verify checksums, this is undesirable and dangerous.

By the way, Homebrew verifies checksums transparently by keeping checksums in formula.
It's so nice.

So I'm thinking that we store checksums in registries and aqua verifies checksums with them.
Users don't need to set up anything but aqua verifies checksums transparently.

This improves the security without harming the user experience.

Workaround

No response

Example Code

No response

Note

No response

@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Feb 5, 2024
@suzuki-shunsuke suzuki-shunsuke moved this to Backlog in main Feb 5, 2024
@suzuki-shunsuke suzuki-shunsuke changed the title Store checksums in registries and verify checksums Verify checksums transparently by storing checksums in registries Feb 5, 2024
@jayvdb
Copy link

jayvdb commented Jul 2, 2024

https://github.com/taiki-e/install-action also stores checksums in the repo.

In taiki-e/install-action#526 I proposed using aqua as a fallback, but the lack of a central store of pre-computed checksums looks like it will make this more difficult.

Also in that issue I note that the ziglang/zig tool here doesnt have a checksum definition, when https://ziglang.org/download/ does have checksum files available. Are they in a supported format?

@suzuki-shunsuke
Copy link
Member Author

Thank you for your comment. I didn't know that action.
As you said, the action stores checksums in the repository and updates them automatically when new versions are released.
This is exactly same as what this issue proposed.

https://ziglang.org/download/ does have checksum files available.

I can't find checksum files. Could you tell me some URLs?

@jayvdb
Copy link

jayvdb commented Jul 2, 2024

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Jul 2, 2024

Oh, I see. I'm not familiar with minisig minisign, but aqua doesn't support it for now.

@suzuki-shunsuke
Copy link
Member Author

About minisin, I created an issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Status: Backlog
Development

No branches or pull requests

2 participants