[cipd] Pin hashes of CIPD packages.

Together with already committed cipd_client_version.digests file, this cryptographically binds contents of CIPD packages used by depot_tools with depot_tool's git revision (assuming the CIPD client pinned by cipd_client_version.digests is trusted too, which can presumably be verified when it is being pinned). This holds true even if the CIPD backend is compromised. The worst that can happen is a denial of service (e.g. if the backend refuses to serve packages at all). If a bad backend tries to serve a malicious (unexpected) CIPD client, 'cipd' bootstrap script (and its powershell counterpart) will detect a mismatch between SHA256 of the fetched binary and what's specified in cipd_client_version.digests, and will refuse to run the untrusted binary. Similarly, if the bad backend tries to serve some other unexpected package (in place of a package specified in cipd_manifest.txt), the CIPD client (already verified and trusted as this point) will detect a mismatch between what was fetched and what's pinned in cipd_manifest.versions, and will refuse to install untrusted files. cipd_manifest.versions was generated from cipd_manifest.txt by: $ cipd ensure-file-resolve -ensure-file cipd_manifest.txt This will have to be rerun each time cipd_manifest.txt is updated. There's a presubmit check that verifies *.versions file is up-to-date (it's part of 'cipd ensure-file-verify'). BUG=870166 R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5 Reviewed-on: https://chromium-review.googlesource.com/1227435 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>
7 years ago · 01710d041f
parent 0526335226
commit 01710d041f
2 changed files with 217 additions and 0 deletions
--- a/cipd_manifest.txt
+++ b/cipd_manifest.txt
@ -2,6 +2,9 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

+# Pin resolved versions in the repo, to reduce trust in the CIPD backend.
+$ResolvedVersions cipd_manifest.versions
+
 # Fully supported plaforms.
 $VerifiedPlatform linux-amd64 mac-amd64 windows-amd64 windows-386

--- a/cipd_manifest.versions
+++ b/cipd_manifest.versions
@ -0,0 +1,214 @@
+# This file is auto-generated by 'cipd ensure-file-resolve'.
+# Do not modify manually. All changes will be overwritten.
+
+infra/tools/luci-auth/linux-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	xAg3WX2ex3ULkoVUsbr6B65nuYnpWaFNu6BO6HhQ0sgC
+
+infra/tools/luci-auth/linux-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	cexxITLLto0E5R-VwXpZWQUq1mXCXXGjGbew22M66cMC
+
+infra/tools/luci-auth/linux-arm64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	SZ5EOimriMpRBY4fGC_Rp3TV41sbgHzw9gjZYFmgV6UC
+
+infra/tools/luci-auth/linux-armv6l
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	oCC_oVAcUUKscPFq_kFjWxXYIVzjG-r0_DV_n3EohRsC
+
+infra/tools/luci-auth/linux-mips64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	_-5uoJFORdex2t1QyS_ihDb7lFQAz4DdROaPatVoI1IC
+
+infra/tools/luci-auth/linux-mips64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	bT5siMU35bfMAtjaUbQpg0o5EVi70sF9jNte-593-TcC
+
+infra/tools/luci-auth/linux-mipsle
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	AQ7Ka00m0aVQ_Gspqfj-PeNM4j2YhxYypnVmeDEA9UQC
+
+infra/tools/luci-auth/linux-ppc64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	ELLeZLgltcdkFDgwRKKmp9WMo8buIsL3NdkWxtGQoH4C
+
+infra/tools/luci-auth/linux-ppc64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	wlj-VEzFtvkweSFQfq8HbyY0GJI3EJFMzlpKhHOzrcEC
+
+infra/tools/luci-auth/linux-s390x
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	_hVxrjyTUEQaqoe5ckdj4bNHZxbl6aC5whk8bgulzP8C
+
+infra/tools/luci-auth/mac-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	PloatKD-3d2iygSAaYo9jT6IO2C-wZvEqcto1vndsMoC
+
+infra/tools/luci-auth/windows-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	FNfv1qwbmJiKVnFezV75UpPm_UdPcMHEnY253OdijTEC
+
+infra/tools/luci-auth/windows-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	1Y3Hk3hG0yhvLiQc1_HxEr8CtFJTjv92JvyvxIpiiGIC
+
+infra/tools/luci/led/linux-386
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	uSa3JcdnwDXPNO7KLsRCZjcdBE10kOjUtYl5bJOb3B8C
+
+infra/tools/luci/led/linux-amd64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	MxLtcH5xuO72bCOzkDokW3i0joAJI1L3tGs51pp384UC
+
+infra/tools/luci/led/linux-arm64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	L6c2z4wJM7q89d6f3ZIFuctxYaIT08_oixEU3OJgeEEC
+
+infra/tools/luci/led/linux-armv6l
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	B9kzsUuYdMYDpIcOsGD2EjW8s552Fz9dlIYDvYEFZqYC
+
+infra/tools/luci/led/linux-mips64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	tTRdCuDAvqnENt565-5d2-aUQZVd2D1lPcsH5w12A0AC
+
+infra/tools/luci/led/linux-mips64le
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	vq2ZohBH44Clv2dxLEd-rTirzVg2BzCD2nmDdB9EzikC
+
+infra/tools/luci/led/linux-mipsle
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	L3Qbg-fYgfpI3_gjU9yhMUPskDBQMy3l1PnQiJCO8KMC
+
+infra/tools/luci/led/linux-ppc64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	LD3yRHqx1t4iHbrcwrkxut5e3kmtuYjABPl2eRuGCtsC
+
+infra/tools/luci/led/linux-ppc64le
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	ooJCYDeU_J1oA8eQetX2G39ue2H0yPfkL2l9OGvt8uMC
+
+infra/tools/luci/led/linux-s390x
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	ImPO10nxiAWHql5YpoZKXlKTo9K_KyiAHKrv0ObtrsMC
+
+infra/tools/luci/led/mac-amd64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	zjOvYhbvD0ORvlSME65NZ5lE3fUzlitP_vxWoZp7WFYC
+
+infra/tools/luci/led/windows-386
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	ds0nhG0p-JWJpLEVJI5Unk2Q1XcUwxMw7Nw-RQe3iYYC
+
+infra/tools/luci/led/windows-amd64
+	git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11
+	RpBQavUwTd2jj1qLhqQDlTBym8dqxilvBAq5_ZmUyHQC
+
+infra/tools/luci/vpython/linux-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	jmU8YGarNQUuqk5TgIvdV97Pd7rVDCKhfobL0lwWmwAC
+
+infra/tools/luci/vpython/linux-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	uCjugbKg6wMIF6_H_BHECZQdcGRebhnZ6LzSodPHQ7AC
+
+infra/tools/luci/vpython/linux-arm64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	aJOwAgOcp-8ugtAsQba4BoZOLuCxyLv1wxgQoBDIo_EC
+
+infra/tools/luci/vpython/linux-armv6l
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	PfUeTxDKlk1_2BY4RsOf9I-I6wQUIOyp26TvyEvYyqgC
+
+infra/tools/luci/vpython/linux-mips64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	T8q1xTmmM3lTXTQy_cBTyqklxiFMUsFSQhS5Cu5Mrh4C
+
+infra/tools/luci/vpython/linux-mips64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	4EZxJ_LhVTNyc_xQq59BYF0KsmOPBbPDN59BM01oQBsC
+
+infra/tools/luci/vpython/linux-mipsle
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	qux_4U4ecHWDRh-PK4XDNLFbutiXinHa2RZ9_NlK2M4C
+
+infra/tools/luci/vpython/linux-ppc64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	UuJs9YmJ0Hb3EtjnHjhhmDkxqDOa29kkdF-e7m-hqBkC
+
+infra/tools/luci/vpython/linux-ppc64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	S-StfL41kH-x_Lk6oHNY2KmcY77RoEByi9QgNpgeC04C
+
+infra/tools/luci/vpython/linux-s390x
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	0_IpslKMNxS2uit3WDn5m3zsZv5-afinqZtWtRg-s8kC
+
+infra/tools/luci/vpython/mac-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	yAdok-mh5vfwq1vCAHprmejM9iE7R1t9Wn6RxrWmAAEC
+
+infra/tools/luci/vpython/windows-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	zkj0pNz5cDcHMwxT_8-Su1x775tZDr8dfvURakbIEN8C
+
+infra/tools/luci/vpython/windows-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	KGSAO8TqgotzoCl54WLHCJy4k2rqJJmdu3X5ORipZhkC
+
+infra/tools/mac_toolchain/mac-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	vNT-t_YkKEmj1dxZngt1gE8wkNrFxDkaI4qJlrmb6mUC
+
+infra/tools/prpc/linux-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	sgVa6Bqe47iNq_DUsB-lSCfxlou8r4uerxNg4umTO2EC
+
+infra/tools/prpc/linux-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	qIKuSNcuWDXDxEsV459Y9O38lFmjI0zSFf9fv8bCZ1cC
+
+infra/tools/prpc/linux-arm64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	y1ZfMndSGAU0lvne0JdMz5lAmuPht63WBlTvOxPZgX0C
+
+infra/tools/prpc/linux-armv6l
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	Uz6gU2q_O1scRPoXrRwrrS680hJKkzoUSeaWGNBBuscC
+
+infra/tools/prpc/linux-mips64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	M1-JZBfVj4yGaBKDZDXtVs7zL1ZUKmTU--A1iHcfIl8C
+
+infra/tools/prpc/linux-mips64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	nvFzHditASTC_uC5mpTBVJW8lNOr59xsOdZwMsDz-ssC
+
+infra/tools/prpc/linux-mipsle
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	AGR2Viao8FsoJrhFN2FFT4JT-0owJmsnK3Co_GNh2lAC
+
+infra/tools/prpc/linux-ppc64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	UDHoL3Ay_TtgKL8i0gH8ct745FcejLx79OKEo-jdl34C
+
+infra/tools/prpc/linux-ppc64le
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	10EhRfS4lfa8Yzr5OuSstYJTyHMxBlbegU7FRYSE580C
+
+infra/tools/prpc/linux-s390x
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	ZCOvdJxiARghbyT99Cyk5QYRghgTzoXL03KG9UxILtoC
+
+infra/tools/prpc/mac-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	0O-YV-VdtsIyIvEcBluv6fW_qa_ZZ5t6_iod8vYcuhAC
+
+infra/tools/prpc/windows-386
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	MbSykhR59B-iwL26ZhQfgYv8YgRJGA1179EDOICqrkIC
+
+infra/tools/prpc/windows-amd64
+	git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
+	zHI_Z_f3YwKQPBNWMCPhmiqyxt_vROHZVCZjHKYRTvIC