Skip to content

internal: Verify provider signatures on install#24617

Merged
alisdair merged 1 commit intomasterfrom
alisdair/provider-installer-signature-verification
Apr 20, 2020
Merged

internal: Verify provider signatures on install#24617
alisdair merged 1 commit intomasterfrom
alisdair/provider-installer-signature-verification

Conversation

@alisdair
Copy link
Copy Markdown
Contributor

@alisdair alisdair commented Apr 9, 2020
edited
Loading

Providers installed from the registry are accompanied by a list of checksums (the "SHA256SUMS" file), which is cryptographically signed to allow package authentication. The process of verifying this has multiple steps:

  • First we must verify that the SHA256 hash of the package archive matches the expected hash. This could be done for local installations too, in the future.
  • Next we ensure that the expected hash returned as part of the registry API response matches an entry in the checksum list.
  • Finally we verify the cryptographic signature of the checksum list, using the public keys provided by the registry.

Each of these steps is implemented as a separate PackageAuthentication type. The local archive installation mechanism uses only the archive checksum authenticator, and the HTTP installation uses all three in the order given.

The package authentication system now also returns a result value, which is used by command/init to display the result of the authentication process.

There are three tiers of signature, each of which is presented differently to the user:

  • Signatures from the embedded HashiCorp public key indicate that the provider is officially supported by HashiCorp;
  • If the signing key is not from HashiCorp, it may have an associated trust signature, which indicates that the provider is from one of HashiCorp's trusted partners;
  • Otherwise, if the signature is valid, this is an untrusted community provider.

Screenshots

Official, partner, and community providers:

image

@alisdair alisdair self-assigned this Apr 9, 2020
@alisdair alisdair force-pushed the alisdair/provider-installer-signature-verification branch 2 times, most recently from d6a5225 to 2eb234b Compare April 9, 2020 17:07
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2020
edited
Loading

Codecov Report

Merging #24617 into master will increase coverage by 0.08%.
The diff coverage is 62.78%.

Impacted Files Coverage Δ
internal/getproviders/mock_source.go 53.73% <0.00%> (-5.29%) ⬇️
internal/providercache/installer.go 0.00% <0.00%> (ø)
internal/providercache/installer_events.go 0.00% <ø> (ø)
internal/providercache/package_install.go 21.05% <17.77%> (+1.05%) ⬆️
internal/getproviders/registry_client.go 60.74% <50.00%> (-3.33%) ⬇️
internal/getproviders/types.go 34.18% <66.66%> (+0.85%) ⬆️
command/init.go 71.42% <71.42%> (ø)
internal/providercache/dir_modify.go 76.47% <76.47%> (+44.47%) ⬆️
internal/getproviders/package_authentication.go 92.79% <92.63%> (+85.10%) ⬆️

apparentlymart
apparentlymart reviewed Apr 9, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@apparentlymart apparentlymart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me! I have some inline thingies, but they are minor and I think the overall approach here is nice.

@justincampbell justincampbell self-requested a review April 9, 2020 19:07
mildwonkey
mildwonkey reviewed Apr 10, 2020
View reviewed changes
mildwonkey
mildwonkey reviewed Apr 10, 2020
View reviewed changes
internal/getproviders/types.go
// concrete types: PackageLocalArchive, PackageLocalDir, or PackageHTTPURL.
type PackageLocation interface {
packageLocation()
String() string
Copy link
Copy Markdown
Contributor

@mildwonkey mildwonkey Apr 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a nice change! I like how this change looks in dir_modify.go

justincampbell
justincampbell reviewed Apr 10, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@justincampbell justincampbell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great so far!

justincampbell
justincampbell reviewed Apr 13, 2020
View reviewed changes
@alisdair alisdair mentioned this pull request Apr 15, 2020
Merged
@alisdair alisdair force-pushed the alisdair/provider-installer-signature-verification branch from b5a9ab3 to a78890d Compare April 15, 2020 16:25
@alisdair alisdair marked this pull request as ready for review April 15, 2020 16:35
@alisdair alisdair requested a review from a team April 15, 2020 16:35
apparentlymart
apparentlymart approved these changes Apr 16, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@apparentlymart apparentlymart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me! 🎉 Nice work.

@alisdair
internal: Verify provider signatures on install
a5b3d49 
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:

- First we must verify that the SHA256 hash of the package archive
  matches the expected hash. This could be done for local installations
  too, in the future.
- Next we ensure that the expected hash returned as part of the registry
  API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
  using the public keys provided by the registry.

Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.

The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.

There are three tiers of signature, each of which is presented
differently to the user:

- Signatures from the embedded HashiCorp public key indicate that the
  provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
  trust signature, which indicates that the provider is from one of
  HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
@alisdair alisdair force-pushed the alisdair/provider-installer-signature-verification branch from a78890d to a5b3d49 Compare April 17, 2020 17:57
@alisdair alisdair merged commit e32e7e2 into master Apr 20, 2020
@alisdair alisdair deleted the alisdair/provider-installer-signature-verification branch April 20, 2020 16:11
@ghost
Copy link
Copy Markdown

ghost commented May 21, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators May 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mildwonkey mildwonkey mildwonkey left review comments

+2 more reviewers

@justincampbell justincampbell justincampbell left review comments

@apparentlymart apparentlymart apparentlymart approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@alisdair alisdair

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alisdair @apparentlymart @justincampbell @mildwonkey