-
Notifications
You must be signed in to change notification settings - Fork 2k
feat(foundryup
): avoid unnecessary downloads and verify hashes of downloaded binaries upon install
#10902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
…ng binaries against artifact, correctly handle releases without artifacts attached
Install
Install
Install
Install
|
…one currently in use, also make sure to activate it before exiting
foundryup
): verify hashes of downloaded binaries upon installfoundryup
): avoid unnecessary downloads and verify hashes of downloaded binaries upon install
Some scenarios to consider
|
Good call!
This is currently the case, see
Done, I did make it so that
This is currently the case, we look now in the versions directory for a matching tag. So instead of matching against |
all good tested on Win
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the logic makes sense to me.
as a side note though, despite docs are probably more suited than the actual implementation, imo it is worth explicitly stating the security risks of running with the --force
flag
good point, yeah, docs should explicitly say that running with |
I've updated the documentation in the book here: https://76c73263.foundry-book.pages.dev/introduction/installation#verifying-the-integrity-and-provenance-of-binaries that points out you can at any time manually verify the integrity of the binary as well (this shows valid matches for all releases going back to the point where this was introduced).
I think once we are sure |
Motivation
Closes: #10755
Closes: #9519
Solution
With the release workflow we now generate attestation artifact links alongside the release: nightly-e0d3e2a842fb5fcff4e02ad0ac0ae72bbdd4f5b3
We downloads the attestation artifact
.txt
based on the architecture. If an attestation artifact.txt
is found in the release we continue and extract the link from the text file. This link points to the actual attestation artifact (.sigstore
). We download this artifact and extract the base64 encoded payload from it, this contains the SHA256 hashes. We store these hashes in a globalHASH_NAMES / HASH_VALUES
arrays that we can access later by lookup.Next we check the SHA256 sum of the current binaries of the version to install against the hashes of the verification artifact (so not necessarily the one activated but rather the binaries stored in
~/.foundry/versions/
). If these two do not match we can assume the local version is out of date and we need to download the binaries. If there is an exact match we know they are up to date and we can exit early, preventing an unnecessary download. Previously we would always download the binaries no matter what.Finally, once the binaries are downloaded, we match the newly downloaded binaries against the earlier stored
HASH_NAMES / HASH_VALUES
. This should always match exactly, if it does not there is a potential security issue as the user is installing a version that is different than the one produced by the release workflow.Includes a
-f / --force
flag to skip verification and force fresh installRelated book PR: foundry-rs/book#1591
Note
HASHES[bin]
withdeclare -A
, this is not compatible with MacOS.To do
PR Checklist