Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate improving security of Ansible get_url download using GPG signature verification #2233

Closed
andrew-m-leonard opened this issue Jun 22, 2021 · 8 comments
Closed

Investigate improving security of Ansible get_url download using GPG signature verification #2233

andrew-m-leonard opened this issue Jun 22, 2021 · 8 comments
Assignees
@Haroon-Khel
Labels
ansible
Milestone
2023-01 (January)

Comments

@andrew-m-leonard
Copy link
Contributor

As part of improving the security of the supply chain and reproducible builds (adoptium/temurin-build#2522), I have investigated some of the Ansible playbooks which download dependencies using get_url from the internet. The risk of such downloads are:

  • Are they malicious websites?
  • Have the website content being tampered with?
  • Has a man-in-the-middle intercepted?
    These equally apply to manually downloaded and stored Ansible content as well.

Currently get_url task for most(but not all) of the downloads uses a checksum. This is reasonable, assuming the accuracy of the checksum is assured? for example was the content manually downloaded actually tampered prior to checksum creation? We can't be sure it is from the origin, especially in man-in-the-middle, which could even tamper with checksum files when downloaded, to match tampered content.

Using GPG signatures is far more safe.
Currently Ansible does not provide a builtin way of using GPG sigs. So we would need to provide our own extension?
@andrew-m-leonard andrew-m-leonard self-assigned this Jun 22, 2021
@Haroon-Khel Haroon-Khel self-assigned this Jun 22, 2021
@Haroon-Khel
Copy link
Contributor

Haroon-Khel commented Jun 24, 2021
edited
Loading

Starting with the UNIX playbook, I will document the validation method of the downloaded packages

File Validation method
Ant Supplies a checksum, but no validation. Supplies a .asc file
Ant-contrib Doesn't supply a checksum, but we have one in the playbooks
Autoconf Doesn't supply a checksum, but we have one in the playbooks. Supplies a .sig file
cmake Not sure but the playbooks have one. Supplies a PGP signature
expat Doesn't supply a checksum, but we have one in the playbooks
zlib Doesn't supply a checksum, but we have one in the playbooks. Supplies a gpg signature
IBM Java 8 for SLES (Link has expired )
Curl Supplies a .asc file
GGC-4.8 Supplies a .sig file
GCC-7.5
GCC-9.3
Git Supplies a .sign file
Gmake Supplies a .sig
Maven Checksum and validation .Supplies a .asc file
Nagios-Plugins Checksum and validation but no gpg validation
Nagios Supporting Script
NNVidia CUDA toolkit
OpenSSL
Python3 Supplies a .asc file

@karianna karianna added this to the June 2021 milestone Jun 25, 2021
@sxa sxa modified the milestones: June 2021, July 2021 Jul 5, 2021
@Haroon-Khel Haroon-Khel modified the milestones: July 2021, August Aug 4, 2021
@sxa sxa modified the milestones: August 2021, Backlog Sep 23, 2021
@sxa
Copy link
Member

sxa commented Oct 1, 2021

The more of these we can validate the better, so adding good first issue for anyone that wants to start working on doing the validation for any in the table that are missing it currently.

@Haroon-Khel
Copy link
Contributor

Haroon-Khel commented Apr 8, 2022
edited
Loading

An issue has been raised with Ansible already about their support for gpg signature validation on downloads using their get_url module
ansible/ansible#69364

@sxa
Copy link
Member

sxa commented May 30, 2022

Related: #2553

@sxa sxa modified the milestones: Backlog, 2022-06 (June) May 30, 2022
@zdtsw
Copy link
Contributor

zdtsw commented Jun 2, 2022

for those using "get_url" if can be replaced by using "apt" "yum"or "package" module, we replace them. check is by default enabled in these modules.

@andrew-m-leonard andrew-m-leonard removed their assignment Jun 2, 2022
@sxa
Copy link
Member

sxa commented Jun 6, 2022

for those using "get_url" if can be replaced by using "apt" "yum"or "package" module, we replace them. check is by default enabled in these modules.

But only if the artifact it's supplied in one of those formats. This should cover source tarball downloads etc. too.

@zdtsw
Copy link
Contributor

zdtsw commented Jun 6, 2022

for those using "get_url" if can be replaced by using "apt" "yum"or "package" module, we replace them. check is by default enabled in these modules.

But only if the artifact it's supplied in one of those formats. This should cover source tarball downloads etc. too.

sure! for the others like tarball, which cannot use module, we still need gpg to verify

@sxa sxa modified the milestones: 2022-06 (June), 2022-07 (July) Jun 30, 2022
@sxa sxa modified the milestones: 2022-07 (July), 2022-10 (October) Sep 1, 2022
@sxa sxa removed this from the 2022-11 (November) milestone Nov 23, 2022
@sxa sxa added this to the 2022-12 (December) milestone Nov 23, 2022
@Haroon-Khel Haroon-Khel mentioned this issue Jan 12, 2023
Merged
8 tasks
@Haroon-Khel
Copy link
Contributor

Closing as #2881 is merged

@Haroon-Khel Haroon-Khel mentioned this issue Jan 31, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haroon-Khel Haroon-Khel

Labels
ansible
Projects
No open projects
Adoptium 1Q 2023 Plan
Status: Done
Adoptium June 2022 Plan
Status: Done
Outreachy December 2022
Status: Done
Milestone
2023-01 (January)
Development

No branches or pull requests
5 participants
@karianna @zdtsw @sxa @andrew-m-leonard @Haroon-Khel