Docs: Consider adding validation of checksums or signatures to OPA install documentation

[raesene]

Currently the OPA installation documentation involves downloading and execution a binary program

At the moment, there's not mention in the documentation of how to validate a digital signature or checksum of the downloaded file prior to running it. If an attacker were able to compromise the system hosting the binary this could leave users open to attack (as happened with Codecov )

A useful addition would be either to include checksums of the binary that can be validated, or to look at signing released files using something like cosign or notary.

[phyber]

Currently checking out OPA and was surprised to find that there weren't any checksums for the binary releases at all. This would be a welcome enhancement.

[tsandall]

I agree that minimally we should publish checksums for the binaries that are attached to each release. We'll need to look into the best way to surface that in the docs.

[developer-guy]

hello, we had talked a bit with @anderseknert and @srenatus about it. IMHO, there are two ways to sign OPA binaries and containers images, and they are by using the public/private key approach or the keyless mode approach. There are similar efforts already available in some of the projects such as GoReleaser, cosign itself, ko. Maybe they might help you about understanding the concept. 🤝🥳

• use keyless approach while signing and verifying GoReleaser checksums.txt file goreleaser/goreleaser#2713 thanks to @caarlos0
• https://chainguard.dev/posts/2021-12-01-zero-friction-keyless-signing thanks to @mattmoor
• Sign released ko binaries ko-build/ko#491

[developer-guy]

hello folks, I have a couple of comments here.

1. AFAIK, we can use sha256sum <file> instead of using shasum -a 256.
2. IIRC, this command will add the name of the file to the .sha256 file which makes it harder to check within the CI/CD pipeline that's why kubectl CLI's sha256 file only contains the sha256 part of the file without a file name, please see.

Validate the binary (optional)

Download the kubectl checksum file:

curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
Validate the kubectl binary against the checksum file:

echo "$(<kubectl.sha256) kubectl" | sha256sum --check
If valid, the output is:

kubectl: OK

3. A similar work is being done by me in vCluster CLI too, please see.

So, I'm proposing to do the same for OPA, WDYT?

kindly ping @anderseknert @johanneslarsson @tsandall?

cc: @Dentrax

[johanneslarsson]

1. sha256sum is only available on Linux, so I guess it could be changed there. But values will be the same?
2. Can't you cut the value you want?
   echo "$(cut -d ' ' -f1 opa_darwin_amd64.sha256) opa_darwin_amd64" | shasum -c