Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPG Verification for browserpass #2

Open
Amar1729 opened this issue Apr 18, 2019 · 2 comments
Open

GPG Verification for browserpass #2

Amar1729 opened this issue Apr 18, 2019 · 2 comments

Comments

@Amar1729
Copy link
Owner

The homebrew-downloaded binary browserpass-3.0.6.mojave.bottle.tar.gz does not match the signature in browserpass-darwin64-3.0.6.tar.gz.asc. This is because the bottle is a homebrew-created binary which uses the upstream browserpass-darwin64-3.0.6.tar.gz.

Due to the security-focused nature of browserpass, the question of gpg verification of the source has been raised.

There is actually an old issue for the brew tool that proposed gpg key verification in formulae. Unfortunately the prevailing opinion from maintainers was that sha256 verification was "enough" for verification of upstream tarballs rather than the overhead of dealing with keys and proper signature verification.

I am not sure if there's currently a way to gpg verify the source tarball inside a homebrew formula, but I can look into it.

tl;dr: End-User verification

In the meantime, there is an option the end-user has for verification of upstream binaries themselves:

# ONLY download the build sources defined in the browserpass formula
# this will download browserpass-darwin64.tar.gz and a testfile (used in the brew test block)
$ brew fetch --build-from-source browserpass

==> Downloading https://github.com/browserpass/browserpass-native/releases/download/3.0.6/browserpass-darwin64-3.0.6.tar.gz
Already downloaded: /Users/amar/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz
SHA256: 422bc6dd1270a877af6ac7801a75b4c4b57171d675c071470f31bc24196701e3

# then you can verify this source yourself (note that the path for the .asc and the tarball will change in future releases):
$ gpg --verify browserpass-darwin64-3.0.6.tar.gz.asc ~/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz

After this, you can view the homebrew formula file with

$ brew cat browserpass

so you can verify I'm not applying any strange patches to the source tarball, simply installing it.

You then can run:

$ brew install browserpass

Note

While brew install supports a --build-from-source flag, this flag doesn't actually build browserpass from source since the upstream provides a prebuilt binary. I can change the formula to actually build browserpass-native from source if there's significant want for it.

@maximbaz
Copy link

would it be possible to download the signature via curl and execute gpg --verify directly from within the formula, as a first "build step", or the formula will not have read access to the archive file in the cache directory?

@Amar1729
Copy link
Owner Author

It could be possible?
There's a good bit of abstraction going on in the Formula method, and builds happen in a sandbox under /private/tmp without access to most of the rest of the filesystem.
Maybe a workaround is to download it as a resource, stage it a temporary path, and then gpg --verify it?
I've only built simple homebrew formulae at this point, so I'm unfamiliar with some of the more intricate functions I may have access to. I'll check it out when I can though (also open to suggestions if anyone is more familiar than I).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants