#33 Validate remote installs

Closed
opened 1 year ago by jhabdas · 5 comments
jhabdas commented 1 year ago

Use the release shasum provided by NPM validate packages downloaded before attempting to use them to guard against potential MITM attack if package is compromised. Also helps ensure NPM returns what’s expected in cases where they don’t 404 on invalid packages (which they’re currently not doing properly). As an added bonus, see if there’s a way to also validate against the official git release archives.

Related: #53

Use the release shasum provided by NPM validate packages downloaded before attempting to use them to guard against potential MITM attack if package is compromised. Also helps ensure NPM returns what's expected in cases where they don't 404 on invalid packages (which they're currently not doing properly). As an added bonus, see if there's a way to also validate against the official git release archives. Related: #53
jhabdas added the
enhancement
label 1 year ago
jhabdas commented 1 year ago
Owner

Stepping towards validation After Dark now cloaks itself upon install and asks users to enter a key to continue as shown in the attached.

Stepping towards validation After Dark now cloaks itself upon install and asks users to enter a key to continue as shown in the attached.
jhabdas commented 1 year ago
Owner

npm pack yadda yadda grep integrity appears to be what I’m looking for.

`npm pack` yadda yadda `grep integrity` appears to be [what I'm looking for](https://npm.community/t/feature-request-consistency-between-what-is-published-on-npm-and-the-source-code-published-on-public-repos/509/7).
jhabdas commented 1 year ago
Owner

Almost got it working. The approach is going to drop the sha512 digests produced by NPM into the message of the git release tag so validations may be checked using:

  • NPM release archives
  • Release archives in git
  • Cloned repo with head pointed at tag

And compared against:

  • NPM registry metadata
  • git tag message dated and PGP signed

At that point someone would likely need to crack SHA-512 to tamper with a release and an audit trail will be available to find out when it happened if it ever happens.

Users may then be notified their site may be compromised if anything doesn’t check out.

[Almost](https://git.habd.as/comfusion/after-dark/src/commit/a1fb36d5b0921f57f7d981d4bf34ec9be008100d/package.json#L27) got it working. The approach is going to drop the sha512 digests produced by NPM into the message of the git release `tag` so validations may be checked using: - NPM release archives - Release archives in git - Cloned repo with `head` pointed at `tag` And compared against: - NPM registry metadata - git tag message dated and PGP signed At that point someone would likely need to [crack SHA-512](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) to tamper with a release and an audit trail will be available to find out when it happened if it ever happens. Users may then be notified their site may be compromised if anything doesn't check out.
jhabdas commented 1 year ago
Owner

Starting with 6.6.4 release tags now include both the SHA-512 digest produced by the corresponding release served by NPM and are PGP signed.

For convenience in validating the codebase a new npm script called integrity has been provided which may be used to validate any given release going forward and will also be the exact same value used to access online help for any given release.

See attached images for examples of this in action.

Starting with `6.6.4` release tags [now include](https://git.habd.as/comfusion/after-dark/src/tag/v6.6.4) both the SHA-512 digest produced by the corresponding release served by NPM and are PGP signed. For convenience in validating the codebase a new `npm` script called `integrity` has been provided which may be used to validate any given release going forward and will also be the exact same value used to access online help for any given release. See attached images for examples of this in action.
jhabdas commented 1 year ago
Owner

Effectively closed with release 6.6.4. Some documentation would be nice but I’d like to get more feedback from NPM community and created the following idea as a result: https://npm.community/t/validating-npm-package-integrity-via-cli-commands/1691

Effectively closed with release `6.6.4`. Some documentation would be nice but I'd like to get more feedback from NPM community and created the following idea as a result: https://npm.community/t/validating-npm-package-integrity-via-cli-commands/1691
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
Cancel
Save
There is no content yet.