Skip to content

Fix Alpine minirootfs download and verification #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
probonopd merged 2 commits into from
May 21, 2025
Merged

Fix Alpine minirootfs download and verification #122

probonopd merged 2 commits into from
May 21, 2025

Conversation

@bastimeyer
Copy link
Contributor

@bastimeyer bastimeyer commented May 21, 2025

  • Download and verify PGP signature instead of sha256 sum
  • Add public key ncopa.asc:
    0482d84022f52df1c4e7cd43293acd0907d9495a
    Natanael Copa <[email protected]>

I've noticed that the chroot_build.sh script was downloading both the Alpine minirootfs tarball and its sha256 sum over HTTP (no HSTS). Verifying the tarball using the checksum that has also been downloaded over a non-TLS connection at the same time doesn't achieve anything security-wise.

type2-runtime/scripts/chroot/chroot_build.sh

Lines 39 to 41 in 2df896e

wget "http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_RELEASE%.*}/releases/${ALPINE_ARCH}/alpine-minirootfs-${ALPINE_RELEASE}-${ALPINE_ARCH}.tar.gz"
wget "http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_RELEASE%.*}/releases/${ALPINE_ARCH}/alpine-minirootfs-${ALPINE_RELEASE}-${ALPINE_ARCH}.tar.gz.sha256"
sha256sum -c alpine-minirootfs-${ALPINE_RELEASE}-${ALPINE_ARCH}.tar.gz.sha256

This PR therefore adds the PGP signing pub-key of Alpine releases (0482d84022f52df1c4e7cd43293acd0907d9495a) to the repo, downloads the PGP signature instead of the sha256 sum and verifies the tarball using that.

@bastimeyer
Fix Alpine minirootfs download and verification
43b5871 
- Download and verify PGP signature instead of sha256 sum
- Add public key ncopa.asc:
  0482d84022f52df1c4e7cd43293acd0907d9495a
  Natanael Copa <[email protected]>
@probonopd
Copy link
Member

probonopd commented May 21, 2025

Thanks @bastimeyer. Alternatively we might want to store a hash of the files even in this repository and check against it, like we do for some other files iirc. @TheAssassin wdyt?

@github-actions
Copy link

github-actions bot commented May 21, 2025

Build for testing:
artifacts x86_64
artifacts i686
artifacts armhf
Use at your own risk.

@github-actions
Copy link

github-actions bot commented May 21, 2025

Build for testing:
artifacts x86_64
artifacts i686
artifacts armhf
artifacts aarch64
Use at your own risk.

@TheAssassin
Copy link
Member

TheAssassin commented May 21, 2025

@probonopd checking against a specific hash is probably overkill. We trust Alpine. Authenticating the bundles is a good idea, though.

@probonopd probonopd enabled auto-merge (squash) May 21, 2025 20:55
@probonopd probonopd merged commit 94bfa3c into AppImage:main May 21, 2025
8 of 9 checks passed
@bastimeyer bastimeyer deleted the scripts/chroot/fix-alpine-minirootfs-download branch May 21, 2025 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheAssassin TheAssassin TheAssassin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bastimeyer @probonopd @TheAssassin