New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(signature): Checksum signature verification #1670
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Shubham Hibare <shubham@hibare.in>
@@ -616,7 +679,7 @@ main() ( | |||
install_dir=${install_dir:-./bin} | |||
|
|||
# note: never change the program flags or arguments (this must always be backwards compatible) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: never change the program flags or arguments (this must always be backwards compatible)
A note for reviewers/testers: we need to verify that this would function when installing a previous release. Ideally we'd know the specific release that implemented this and be able to short circuit this and error when validation would silently never occur.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an awesome add! I need to think through and run some testing to ensure installing previous releases is ok https://github.com/anchore/grype/pull/1670/files#r1467020629
Signed-off-by: Shubham Hibare <shubham@hibare.in>
@wagoodman Any update? As you mentioned, definitely need a check to test which version this feature was rolled out and show error when |
Addresses issue #1627
This PR adds checksum.txt file signature verification before downloading and installing actual binary. This is an optional opt-in feature using command line flag
-v
to installation script.Signature verification process depends on 3rd party cosign binary. If the binary is not found, the user is prompted to install the binary. Cosign binary installation is not part of this script.
The overall process with signature verification looks like this:
-v
command line flag to installation script.Successful signature verification:
Signature verification failure:
Cosign binary not found: