Comments (7)
passcod
commented on July 24, 2024
1
But probably the easiest thing is to pin the initial download to a particular cargo-binstall version and embed in the script the list of all sha256 hashes for the binaries for that release. Then we download that, check the relevant sum (with sha256sum or Get-FileHash, and bootstrap to the latest version with --only-signed.
from cargo-binstall.
NobodyXu
commented on July 24, 2024
1
But probably the easiest thing is to pin the initial download to a particular cargo-binstall version
Yeah that's the most simple yet robust solution.
It's probably the solution we want to implement.
from cargo-binstall.
passcod
commented on July 24, 2024
In the - uses: cargo-bins/cargo-binstall@main workflow you mean?
The other problem is once we've got the public key, how to check the signatures against it without introducing more links in the supply chain. We can't use cargo-binstall to do it, for example, given that a malicious version could just always say yes.
Given this is GHA, we could vendor a minisign implementation for node.js (or wasm), maybe.
from cargo-binstall.
NobodyXu
commented on July 24, 2024
Yes, and I didn't realise the lack of minisign/rsign as a problem.
Probably writing it in node.js or wasm is the only solution.
from cargo-binstall.
passcod
commented on July 24, 2024
In fact, the guaranteed presence of node.js in GHA makes me think that perhaps a solution (if a bit of an overengineering?) is to make a WASI build of cargo-binstall and then we'd have a single binary for all platforms, which makes verification much easier.
from cargo-binstall.
passcod
commented on July 24, 2024
Or, hey, here's a fun one, we use the build from quickinstall which is signed with the single/static quick-install key, which we can embed, and now we only need to do the minisign verification in js.
from cargo-binstall.
NobodyXu
commented on July 24, 2024
make a WASI build of cargo-binstall and then we'd have a single binary for all platforms, which makes verification much easier.
I definitely want to do that, but unfortunately WASI can't even do network now.
I also checked cargo wasix check and many crates like ring, tokio and gix-sec still can't compile:
error[E0432]: unresolved import `super::sysrand_chunk`
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ring-0.16.20/src/rand.rs:306:16
|
306 | use super::sysrand_chunk::chunk;
| ^^^^^^^^^^^^^ could not find `sysrand_chunk` in `super`
Compiling rustls v0.20.9
Compiling bzip2-sys v0.1.11+1.0.8
For more information about this error, try `rustc --explain E0432`.
error: could not compile `ring` (lib) due to previous error
warning: build failed, waiting for other jobs to finish...
error: Only features sync,macros,io-util,rt,time are supported on wasm.
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.32.0/src/lib.rs:471:1
|
471 | compile_error!("Only features sync,macros,io-util,rt,time are supported on wasm.");
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error[E0432]: unresolved import `super::sysrand_chunk`
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ring-0.16.20/src/rand.rs:306:16
|
306 | use super::sysrand_chunk::chunk;
| ^^^^^^^^^^^^^ could not find `sysrand_chunk` in `super`
Checking gix-sec v0.10.0
error[E0425]: cannot find function `geteuid` in crate `libc`
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-sec-0.10.0/src/identity.rs:34:38
|
34 | let uid = unsafe { libc::geteuid() };
| ^^^^^^^ not found in `libc`
error[E0658]: use of unstable library feature 'wasi_ext'
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-sec-0.10.0/src/identity.rs:26:17
|
26 | use std::os::unix::fs::MetadataExt;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: see issue #71213 <https://github.com/rust-lang/rust/issues/71213> for more information
= help: add `#![feature(wasi_ext)]` to the crate attributes to enable
error[E0599]: no method named `uid` found for struct `Metadata` in the current scope
--> /Users/nobodyxu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-sec-0.10.0/src/identity.rs:28:21
|
28 | Ok(meta.uid())
| ^^^ method not found in `Metadata`
Some errors have detailed explanations: E0425, E0599, E0658.
For more information about an error, try `rustc --explain E0425`.
error: could not compile `gix-sec` (lib) due to 3 previous errors
warning: build failed, waiting for other jobs to finish...
For more information about this error, try `rustc --explain E0432`.
error: could not compile `ring` (lib) due to previous error
error: could not compile `tokio` (lib) due to previous error
from cargo-binstall.
Related Issues (20)
- Linux: not working with wired? connection HOT 1
- Enable dry run only for cli release PRs HOT 1
- resolve log is too verbose HOT 2
- musl target change HOT 14
- Unnecessary warning about lack of `~/.git-credentials` HOT 3
- Question about the template macro HOT 2
- Consider adding -Zcross-crate-inline-threshold=always HOT 3
- Add cargo-run-bin to readme HOT 6
- cargo-binstall doesn't work behind corporate firewall HOT 3
- How to use binstall to download bin in *musl.tar.gz release package? HOT 7
- Please add support for scoop install in win10 HOT 4
- How to list installed binary? HOT 3
- Upgrade to hyper 1.0 once reqwest completed the upgrade HOT 1
- where is the cached downloaded file? HOT 1
- How to download bin with get/put but not git-api-token ? HOT 1
- How to skip fatal error HOT 4
- Using `cargo-binstall` with `cargo-run-bin` for fast CI in GitHub Actions HOT 4
- not updating .crates2.json HOT 5
- CI: add retry for steps/jobs on timeout. HOT 5
- feature: Improve retrying logic
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cargo-binstall.