Security of the CLI download step #155
Comments
|
Hi! Thanks for your concerns here. Just so you're aware, the first point is already being done; the Smartnode is released on GitHub signed by a GPG key. For example, take a look at the release artifacts here: https://github.com/rocket-pool/smartnode-install/releases/tag/v1.6.5 You'll see each file (including the install script, the CLI binaries, and the daemons) is accompanied by a GPG signature. The GPG public key itself is also included there. Users are free to verify that the binaries match what is signed by that key. That process should account for your second point as well, but if you'd like to see Regarding point 3, I think we could discuss putting the binaries up on IPFS as well. Let me talk about that with the team, because we'd likely need to use a pinning service for it. For point 4, building from source would probably require its own section to cover things like setting up a Go environment, testing, comparing your version against the canonical version, etc. I think it makes sense to do, but maybe in the dev section of the docs instead of the user guides. |
Excellent, thank you for the pointer. I'll take a look at using it and I may submit a PR that adds a little bit of text to the docs that point at it too.
A pinning service probably is the best way to go. Not sure what your current server for publishing binaries looks like, but it might not be too hard to run an IPFS node on that as well. Not sure, thanks for considering it.
Yeah, I think just adding a quick link like: advanced: if you want to build from source see . Most people wont use it, but some will, and those people will be more likely to help make those build instructions even better. |
|
I am working on making a small PR to add some text about GPG verification. For reference my process for choosing the arch looks like this: ARCH=$(uname -m)
declare -A ARCH_LUT=(
["x86"]="amd64"
["x86_64"]="amd64"
["aarch64"]="arm64"
)
ARCH="${ARCH_LUT[${ARCH}]}"
echo "ARCH = $ARCH"
PREFIX=$HOME/.local
mkdir -p "$PREFIX/bin"
wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-"${ARCH}" -O ./rocketpool
wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-"${ARCH}".sig -O ./rocketpool.sig
wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/smartnode-signing-key-v3.asc -O ./smartnode-signing-key-v3.asc
# Sign key belongs to:
# https://github.com/jclapis
gpg --import ./smartnode-signing-key-v3.asc
gpg --verify rocketpool.sig rocketpool
mv ./rocketpool "$PREFIX/bin/rocketpool"
chmod +x "$HOME"/.local/bin/rocketpool
rocketpool --version |
In the CLI setup instructions: https://docs.rocketpool.net/guides/node/docker.html#downloading-the-rocket-pool-cli
It was the user to wget a url, give it execution permissions and run it.
The file downloaded is an 18MB binary that does who knows what. There doesn't seem to be a way that I can verify this binary corresponds to the code in: https://github.com/rocket-pool/smartnode
So the only encouragement that running this code is in any way trustworthy is that it in an https url.
There are several mitigations that could be done to increase the security posture of this critical step:
The first 3 options make a modified binary attack much harder. Signing the binaries gives as much confidence as the chain of trust provides, which can be a little or a lot. Publishing hashes makes it much easier to automate setting up nodes that pin to a specific version of the CLI. Publishing on IPFS has similar benefits to the hashes in addition to providing a distributed means of accessing the binaries rather than relying on a centralized github server.
The last option is the most impactful. Users can verify the code themselves and use the builtin security that comes with git to verify the code they are building is the code they expect to build.
The text was updated successfully, but these errors were encountered: