From 01710d041f2cdbdbbae1c1e145eb1e23ff998e07 Mon Sep 17 00:00:00 2001 From: Vadim Shtayura Date: Tue, 18 Sep 2018 17:00:43 +0000 Subject: [PATCH] [cipd] Pin hashes of CIPD packages. Together with already committed cipd_client_version.digests file, this cryptographically binds contents of CIPD packages used by depot_tools with depot_tool's git revision (assuming the CIPD client pinned by cipd_client_version.digests is trusted too, which can presumably be verified when it is being pinned). This holds true even if the CIPD backend is compromised. The worst that can happen is a denial of service (e.g. if the backend refuses to serve packages at all). If a bad backend tries to serve a malicious (unexpected) CIPD client, 'cipd' bootstrap script (and its powershell counterpart) will detect a mismatch between SHA256 of the fetched binary and what's specified in cipd_client_version.digests, and will refuse to run the untrusted binary. Similarly, if the bad backend tries to serve some other unexpected package (in place of a package specified in cipd_manifest.txt), the CIPD client (already verified and trusted as this point) will detect a mismatch between what was fetched and what's pinned in cipd_manifest.versions, and will refuse to install untrusted files. cipd_manifest.versions was generated from cipd_manifest.txt by: $ cipd ensure-file-resolve -ensure-file cipd_manifest.txt This will have to be rerun each time cipd_manifest.txt is updated. There's a presubmit check that verifies *.versions file is up-to-date (it's part of 'cipd ensure-file-verify'). BUG=870166 R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5 Reviewed-on: https://chromium-review.googlesource.com/1227435 Commit-Queue: Vadim Shtayura Reviewed-by: Andrii Shyshkalov --- cipd_manifest.txt | 3 + cipd_manifest.versions | 214 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 217 insertions(+) create mode 100644 cipd_manifest.versions diff --git a/cipd_manifest.txt b/cipd_manifest.txt index 66f71a764..12f02e029 100644 --- a/cipd_manifest.txt +++ b/cipd_manifest.txt @@ -2,6 +2,9 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +# Pin resolved versions in the repo, to reduce trust in the CIPD backend. +$ResolvedVersions cipd_manifest.versions + # Fully supported plaforms. $VerifiedPlatform linux-amd64 mac-amd64 windows-amd64 windows-386 diff --git a/cipd_manifest.versions b/cipd_manifest.versions new file mode 100644 index 000000000..e56ef7e86 --- /dev/null +++ b/cipd_manifest.versions @@ -0,0 +1,214 @@ +# This file is auto-generated by 'cipd ensure-file-resolve'. +# Do not modify manually. All changes will be overwritten. + +infra/tools/luci-auth/linux-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + xAg3WX2ex3ULkoVUsbr6B65nuYnpWaFNu6BO6HhQ0sgC + +infra/tools/luci-auth/linux-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + cexxITLLto0E5R-VwXpZWQUq1mXCXXGjGbew22M66cMC + +infra/tools/luci-auth/linux-arm64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + SZ5EOimriMpRBY4fGC_Rp3TV41sbgHzw9gjZYFmgV6UC + +infra/tools/luci-auth/linux-armv6l + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + oCC_oVAcUUKscPFq_kFjWxXYIVzjG-r0_DV_n3EohRsC + +infra/tools/luci-auth/linux-mips64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + _-5uoJFORdex2t1QyS_ihDb7lFQAz4DdROaPatVoI1IC + +infra/tools/luci-auth/linux-mips64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + bT5siMU35bfMAtjaUbQpg0o5EVi70sF9jNte-593-TcC + +infra/tools/luci-auth/linux-mipsle + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + AQ7Ka00m0aVQ_Gspqfj-PeNM4j2YhxYypnVmeDEA9UQC + +infra/tools/luci-auth/linux-ppc64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + ELLeZLgltcdkFDgwRKKmp9WMo8buIsL3NdkWxtGQoH4C + +infra/tools/luci-auth/linux-ppc64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + wlj-VEzFtvkweSFQfq8HbyY0GJI3EJFMzlpKhHOzrcEC + +infra/tools/luci-auth/linux-s390x + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + _hVxrjyTUEQaqoe5ckdj4bNHZxbl6aC5whk8bgulzP8C + +infra/tools/luci-auth/mac-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + PloatKD-3d2iygSAaYo9jT6IO2C-wZvEqcto1vndsMoC + +infra/tools/luci-auth/windows-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + FNfv1qwbmJiKVnFezV75UpPm_UdPcMHEnY253OdijTEC + +infra/tools/luci-auth/windows-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + 1Y3Hk3hG0yhvLiQc1_HxEr8CtFJTjv92JvyvxIpiiGIC + +infra/tools/luci/led/linux-386 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + uSa3JcdnwDXPNO7KLsRCZjcdBE10kOjUtYl5bJOb3B8C + +infra/tools/luci/led/linux-amd64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + MxLtcH5xuO72bCOzkDokW3i0joAJI1L3tGs51pp384UC + +infra/tools/luci/led/linux-arm64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + L6c2z4wJM7q89d6f3ZIFuctxYaIT08_oixEU3OJgeEEC + +infra/tools/luci/led/linux-armv6l + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + B9kzsUuYdMYDpIcOsGD2EjW8s552Fz9dlIYDvYEFZqYC + +infra/tools/luci/led/linux-mips64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + tTRdCuDAvqnENt565-5d2-aUQZVd2D1lPcsH5w12A0AC + +infra/tools/luci/led/linux-mips64le + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + vq2ZohBH44Clv2dxLEd-rTirzVg2BzCD2nmDdB9EzikC + +infra/tools/luci/led/linux-mipsle + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + L3Qbg-fYgfpI3_gjU9yhMUPskDBQMy3l1PnQiJCO8KMC + +infra/tools/luci/led/linux-ppc64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + LD3yRHqx1t4iHbrcwrkxut5e3kmtuYjABPl2eRuGCtsC + +infra/tools/luci/led/linux-ppc64le + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + ooJCYDeU_J1oA8eQetX2G39ue2H0yPfkL2l9OGvt8uMC + +infra/tools/luci/led/linux-s390x + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + ImPO10nxiAWHql5YpoZKXlKTo9K_KyiAHKrv0ObtrsMC + +infra/tools/luci/led/mac-amd64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + zjOvYhbvD0ORvlSME65NZ5lE3fUzlitP_vxWoZp7WFYC + +infra/tools/luci/led/windows-386 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + ds0nhG0p-JWJpLEVJI5Unk2Q1XcUwxMw7Nw-RQe3iYYC + +infra/tools/luci/led/windows-amd64 + git_revision:9d677cda113ba49bea3ed50c9ed18aa8c6a09b11 + RpBQavUwTd2jj1qLhqQDlTBym8dqxilvBAq5_ZmUyHQC + +infra/tools/luci/vpython/linux-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + jmU8YGarNQUuqk5TgIvdV97Pd7rVDCKhfobL0lwWmwAC + +infra/tools/luci/vpython/linux-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + uCjugbKg6wMIF6_H_BHECZQdcGRebhnZ6LzSodPHQ7AC + +infra/tools/luci/vpython/linux-arm64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + aJOwAgOcp-8ugtAsQba4BoZOLuCxyLv1wxgQoBDIo_EC + +infra/tools/luci/vpython/linux-armv6l + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + PfUeTxDKlk1_2BY4RsOf9I-I6wQUIOyp26TvyEvYyqgC + +infra/tools/luci/vpython/linux-mips64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + T8q1xTmmM3lTXTQy_cBTyqklxiFMUsFSQhS5Cu5Mrh4C + +infra/tools/luci/vpython/linux-mips64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + 4EZxJ_LhVTNyc_xQq59BYF0KsmOPBbPDN59BM01oQBsC + +infra/tools/luci/vpython/linux-mipsle + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + qux_4U4ecHWDRh-PK4XDNLFbutiXinHa2RZ9_NlK2M4C + +infra/tools/luci/vpython/linux-ppc64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + UuJs9YmJ0Hb3EtjnHjhhmDkxqDOa29kkdF-e7m-hqBkC + +infra/tools/luci/vpython/linux-ppc64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + S-StfL41kH-x_Lk6oHNY2KmcY77RoEByi9QgNpgeC04C + +infra/tools/luci/vpython/linux-s390x + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + 0_IpslKMNxS2uit3WDn5m3zsZv5-afinqZtWtRg-s8kC + +infra/tools/luci/vpython/mac-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + yAdok-mh5vfwq1vCAHprmejM9iE7R1t9Wn6RxrWmAAEC + +infra/tools/luci/vpython/windows-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + zkj0pNz5cDcHMwxT_8-Su1x775tZDr8dfvURakbIEN8C + +infra/tools/luci/vpython/windows-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + KGSAO8TqgotzoCl54WLHCJy4k2rqJJmdu3X5ORipZhkC + +infra/tools/mac_toolchain/mac-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + vNT-t_YkKEmj1dxZngt1gE8wkNrFxDkaI4qJlrmb6mUC + +infra/tools/prpc/linux-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + sgVa6Bqe47iNq_DUsB-lSCfxlou8r4uerxNg4umTO2EC + +infra/tools/prpc/linux-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + qIKuSNcuWDXDxEsV459Y9O38lFmjI0zSFf9fv8bCZ1cC + +infra/tools/prpc/linux-arm64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + y1ZfMndSGAU0lvne0JdMz5lAmuPht63WBlTvOxPZgX0C + +infra/tools/prpc/linux-armv6l + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + Uz6gU2q_O1scRPoXrRwrrS680hJKkzoUSeaWGNBBuscC + +infra/tools/prpc/linux-mips64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + M1-JZBfVj4yGaBKDZDXtVs7zL1ZUKmTU--A1iHcfIl8C + +infra/tools/prpc/linux-mips64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + nvFzHditASTC_uC5mpTBVJW8lNOr59xsOdZwMsDz-ssC + +infra/tools/prpc/linux-mipsle + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + AGR2Viao8FsoJrhFN2FFT4JT-0owJmsnK3Co_GNh2lAC + +infra/tools/prpc/linux-ppc64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + UDHoL3Ay_TtgKL8i0gH8ct745FcejLx79OKEo-jdl34C + +infra/tools/prpc/linux-ppc64le + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + 10EhRfS4lfa8Yzr5OuSstYJTyHMxBlbegU7FRYSE580C + +infra/tools/prpc/linux-s390x + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + ZCOvdJxiARghbyT99Cyk5QYRghgTzoXL03KG9UxILtoC + +infra/tools/prpc/mac-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + 0O-YV-VdtsIyIvEcBluv6fW_qa_ZZ5t6_iod8vYcuhAC + +infra/tools/prpc/windows-386 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + MbSykhR59B-iwL26ZhQfgYv8YgRJGA1179EDOICqrkIC + +infra/tools/prpc/windows-amd64 + git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89 + zHI_Z_f3YwKQPBNWMCPhmiqyxt_vROHZVCZjHKYRTvIC