[BUG] binman does not check signature of toolchain
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Best regards
Heinrich
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker!
Regards, Simon
On 10/27/21 16:05, Simon Glass wrote:
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker!
tools/buildman/toolchain.py
I have seen this script downloading binaries and executing them on my machine without verification. This makes me feel insecure.
test/run invokes buildman.
The same is true for tools/docker/Dockerfile. As Docker does not use its own kernel you should avoid running untrusted binaries in a container.
Best regards
Heinrich
Hi Heinrich,
On Wed, 27 Oct 2021 at 08:23, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
On 10/27/21 16:05, Simon Glass wrote:
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker!
tools/buildman/toolchain.py
I have seen this script downloading binaries and executing them on my machine without verification. This makes me feel insecure.
This should only happen with --fetch-arch but if you see it happening without that, there is some kind of bug.
test/run invokes buildman.
The same is true for tools/docker/Dockerfile. As Docker does not use its own kernel you should avoid running untrusted binaries in a container.
OK I will leave this as an exercise for the reader.
Regards, Simon
participants (2)
-
Heinrich Schuchardt -
Simon Glass