Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

are there checksums available ? #2140

Open
ilia-shipitsin opened this issue Oct 13, 2023 · 21 comments
Open

are there checksums available ? #2140

ilia-shipitsin opened this issue Oct 13, 2023 · 21 comments

Comments

@ilia-shipitsin
Copy link

hello,

in github runner images team we are looking into improving supply chain.
are there checksums avaialble (or something else maybe) ?

cheers

@whimboo
Copy link
Collaborator

whimboo commented Oct 16, 2023

We have those only for the Linux platforms at the moment. For MacOS and Windows the builds are signed and as such we didn't see a need. I assume you need them for all platforms? Which kind of checksum is preferred?

@ilia-shipitsin
Copy link
Author

yep, we are looking for checksum validation on linux binaries

@ilia-shipitsin
Copy link
Author

as for checksum algo, our security engineers approved SHA256 or SHA512

@whimboo
Copy link
Collaborator

whimboo commented Oct 24, 2023

If you are looking for Linux only then the PGP signatures that we ship beside the binaries aren't enough or you cannot use due to restrictions?

@ilia-shipitsin
Copy link
Author

we missed PGP signatures. can you help with the URL ?

we download gecko driver from github releases

@whimboo
Copy link
Collaborator

whimboo commented Oct 24, 2023

Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the .asc extension: geckodriver-v0.33.0-linux32.tar.gz.asc.

If that is all what you need and it works feel free to close the issue. Thanks!

@ilia-shipitsin
Copy link
Author

thanks, give me couple of days

@sergei-pyshnoi
Copy link

Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the .asc extension: geckodriver-v0.33.0-linux32.tar.gz.asc.

If that is all what you need and it works feel free to close the issue. Thanks!

@whimboo If I understand correct, it is file signature (I am little bit confuse, because it usually have .sig extension). Anyway it`s acceptable checksum alternative. Can you please help with receiving "public pgp signature". Do you have some guideline or documentation for it? Thank you

@whimboo
Copy link
Collaborator

whimboo commented Oct 24, 2023

Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the .asc extension: geckodriver-v0.33.0-linux32.tar.gz.asc.
If that is all what you need and it works feel free to close the issue. Thanks!

@whimboo If I understand correct, it is file signature (I am little bit confuse, because it usually have .sig extension). Anyway it`s acceptable checksum alternative. Can you please help with receiving "public pgp signature". Do you have some guideline or documentation for it? Thank you

We basically just use what our CI system generates. And so far this exact question didn't come up yet.

@bhearsum could you give some insights in how to get the public GPG key that is used to generate the signature files (.asc) so that the downloaded geckodriver binary can be verified? Thanks!

@bhearsum
Copy link

It looks like those are signed with the same key as Firefox, which can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.

@sergei-pyshnoi
Copy link

sergei-pyshnoi commented Oct 25, 2023

It looks like those are signed with the same key as Firefox, which can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.

I am tried to validate with provided pub keys, but receive error that is key is expired.

gpg: Signature made Mon Apr  3 00:01:05 2023 CEST
gpg:                using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
gpg: Good signature from "Mozilla Software Releases <[email protected]>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 14F2 6682 D091 6CDD 81E3  7B6D 61B7 B526 D98F 0353
     Subkey fingerprint: 4360 FE21 09C4 9763 186F  8E21 EBE4 1E90 F6F1 2F6D

@bhearsum
Copy link

Yeah. Those packages were built and signed about a month before that GPG key expired - so as far as I know that's expected.

The next version that is built and published will be signed with a newer key (also available in the KEY file).

@sergei-pyshnoi
Copy link

Thanks for explanation!

@whimboo
Copy link
Collaborator

whimboo commented Oct 27, 2023

Hm, that opens the question if we really should use the PGP key for the signature file or just create our own checksum file based eg on SHA512. This would not cause issues like above when users will try to download a recent or older geckodriver release.

@jgraham what do you think?

@jgraham
Copy link
Member

jgraham commented Oct 27, 2023

They provide quite different properties, right?

The PGP signature should allow you to validate that the binary you have is identical to one that was signed by Mozilla.

A checksum only really allows validating that you didn't get a corrupted download (because if you trust that what you download from the release page is real/correct then you can just directly check against that to ensure you have the correct binary; if you don't trust that you also can't trust the checksum, so it doesn't add any additional value).

It looks like the keys are typically valid for two years. I think the only reason this affects geckodriver more than Firefox is that we have a more irregular release schedule. But maybe we can figure out a way to re-sign the current version with the new key if the key used at the time of initial release expires?

@whimboo
Copy link
Collaborator

whimboo commented Nov 8, 2023

@bhearsum is re-signing possible? I assume we would have to check-out the revision of mozilla-central that we originally used for the release, but it's not clear if the new PGP key will be used by the signing tasks.

@bhearsum
Copy link

@bhearsum is re-signing possible? I assume we would have to check-out the revision of mozilla-central that we originally used for the release, but it's not clear if the new PGP key will be used by the signing tasks.

New signing tasks would get new signatures with the recent keys, yes.

@toolonely
Copy link

It looks like those are signed with the same key as Firefox

Wouldn't it be useful to explicitly add this to the README?

can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.

Since keys change, for convenience it would be nice to add the Firefox key straight to the each release, or at least link to them on the Mozilla website. Nobody has to do additional web searches or dig through GitHub issues to find this

@whimboo
Copy link
Collaborator

whimboo commented Feb 1, 2024

So the KEY files seem to have been updated back to the 114.0 release:

https://archive.mozilla.org/pub/firefox/releases/114.0/KEY
https://archive.mozilla.org/pub/firefox/releases/113.0/KEY

But in regards of referencing the up-to-date key we probably want to add a link to the PGP key at keys.openpgp.org instead.

Not sure if we should re-build geckodriver releases and modify the binaries at a later time. It would be better to just get a new release of geckodriver out as built with the new key.

@bhearsum what do you think?

@basil
Copy link

basil commented Jul 29, 2024

Does anyone have a link to example code demonstrating how to fetch the tarball and verify its signature from a Dockerfile?

@jamesfpb
Copy link

jamesfpb commented Aug 13, 2024

Here you go:

RUN DEBIAN_FRONTEND=noninteractive apt update \ 
  && apt install -y --no-install-recommends \ 
	wget \ 
	gnupg \ 
	ca-certificates \ 
	xz-utils \ 
  && apt clean	\ 
  && rm -rf /var/lib/apt/lists/* 

ARG VERSION_GECKODRIVER="0.31.0"
ARG BINARY="https://github.com/mozilla/geckodriver/releases/download/v${VERSION_GECKODRIVER}/geckodriver-v${VERSION_GECKODRIVER}-linux64.tar.gz"
ARG SIGNATURE="${BINARY}.asc"
ARG FINGERPRINT="14F26682D0916CDD81E37B6D61B7B526D98F0353"

WORKDIR /app
RUN gpg --keyserver hkps://keys.openpgp.org --recv-keys ${FINGERPRINT} \ 
  && wget --show-progress --progress=bar:force:noscroll ${SIGNATURE} ${BINARY} \ 
  && gpg --status-fd 1 --verify ${SIGNATURE##*/} ${BINARY##*/} 2>/dev/null | grep -q "^\[GNUPG:\] VALIDSIG.*${FINGERPRINT}\$" || exit 1 \  
  && tar -xzvf ${BINARY##*/} \ 
  && rm ${BINARY##*/} ${SIGNATURE##*/}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants