Verify the integrity of components coming from channels #112

jmesnil · 2022-10-21T10:25:28Z

When a component is installed from a stream, we should have a way to verify its integrity.

We could add a sha256checksum that would be verify when the corresponding artifact is downloaded to verify that its content has not been modified.
This is only possible if a fixed version is defined and would not make sense with versionPattern.

The checksum is also tied to the type and classifier of artifacts retrieved (eg Galleon pack would need to verify their zip package) while jar dependencies would verify their jar package. A single GA can define multiple artifacts thanks to the classifier, classifier, if any, is taken into account as [classifier/]extension in the key.

streams:
  - groupId: org.wildfly
    artifactId: wildfly-galleon-pack
    version: 26.0.0.Final
    sha256checksum:
      zip: d06591ac1fa5871258a574abcd4cc06f8be28ad1
  - groupId: org.wildfly.core
     artifactId: wildfly-controller
     version:19.0.0.Final
     sha256checksum:
       jar: 1cdc99e86a0002d111e7e41cc6989ca83624cd62
  - groupId: org.wildfly.core
     artifactId: wildfly-cli
     version:19.0.0.Final
     sha256checksum:
       jar: 1cdc99e86a0002d111e7e41cc6989ca83624cd62
       client/jar: 2adc99e86a0002d111e7e41cc6989ca83624cd98

If the sha256checksum section is not present (or there is no value for the given package type), the integrity of the component will not be verified.
If version is not present and the sha256checksum is present, an error will be reported.

The text was updated successfully, but these errors were encountered:

This fixes wildfly-extras#112. Signed-off-by: Jeff Mesnil <[email protected]>

This fixes wildfly-extras#112. Signed-off-by: Jeff Mesnil <[email protected]> Conflicts: core/src/main/java/org/wildfly/channel/Channel.java core/src/main/java/org/wildfly/channel/ChannelSession.java

[#112] Enable GPG checks of channel artifacts

jmesnil mentioned this issue Oct 21, 2022

Splitting channel metadata into Channel and Manifest files #109

Merged

jmesnil changed the title ~~Add a sha1checksum field to the stream to verify the integrity of downloads~~ Add a sha256checksum field to the stream to verify the integrity of downloads Oct 21, 2022

jmesnil added a commit to jmesnil/wildfly-channel that referenced this issue Oct 21, 2022

[wildfly-extras#112] WIP

dafdf3a

This fixes wildfly-extras#112. Signed-off-by: Jeff Mesnil <[email protected]>

jmesnil added a commit to jmesnil/wildfly-channel that referenced this issue Oct 21, 2022

[wildfly-extras#112] WIP

d77ba41

This fixes wildfly-extras#112. Signed-off-by: Jeff Mesnil <[email protected]>

jmesnil changed the title ~~Add a sha256checksum field to the stream to verify the integrity of downloads~~ Verify the integrity of components coming from channels Nov 16, 2022

jfdenise linked a pull request Jan 25, 2023 that will close this issue

Fix for #112, Verify the integrity of components coming from channels #134

Draft

spyrkob mentioned this issue Oct 29, 2024

[#112] Enable GPG checks of channel artifacts #268

Merged

jmesnil closed this as completed in #268 Dec 19, 2024

jmesnil added a commit that referenced this issue Dec 19, 2024

Merge pull request #268 from spyrkob/mvn_verify

52c9d15

[#112] Enable GPG checks of channel artifacts

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verify the integrity of components coming from channels #112

Verify the integrity of components coming from channels #112

jmesnil commented Oct 21, 2022 •

edited by jfdenise

Loading

Verify the integrity of components coming from channels #112

Verify the integrity of components coming from channels #112

Comments

jmesnil commented Oct 21, 2022 • edited by jfdenise Loading

jmesnil commented Oct 21, 2022 •

edited by jfdenise

Loading