Skip to content

install/ampel + install/bnd: curl downloads have no checksum/signature verification #51

Description

@potiuk

The install actions at install/ampel/action.yml and install/bnd/action.yml (currently at v1.1.5 / commit ba6f58b71202) fetch their binaries with bare curl -Lo … and then chmod 0755, with no checksum, signature, or attestation verification step. For example, in install/ampel/action.yml:

- name: Install ampel
  shell: bash
  run: |
    mkdir -p ${{ inputs.install-dir }}/bin || :
    curl -Lo ${{ inputs.install-dir }}/bin/ampel${{ steps.platform.outputs.ext }} \
      https://github.com/carabiner-dev/ampel/releases/download/${{ inputs.version }}/${{ steps.platform.outputs.filename }}
    chmod 0755 ${{ inputs.install-dir }}/bin/ampel${{ steps.platform.outputs.ext }}

install/bnd/action.yml has the same shape for the bnd binary.

The Apache Software Foundation runs verify-action-build (https://github.com/apache/infrastructure-actions) on every action used by ASF projects. It flags both files as unverified binary downloads when reviewing ampel/verify for inclusion (apache/infrastructure-actions#802).

The release artifacts already include the underlying signing material — ampel-vX.Y.Z.provenance.json (SLSA provenance) for ampel and attestations.jsonl for bnd — so the chain exists; it's just not surfaced to consumers of the install actions.

A few options that would unblock ASF adoption:

  1. Add a gh attestation verify step after the curl, e.g. gh attestation verify "$binary" --owner carabiner-dev. Cleanest if your attestations are published to GitHub's attestation transparency log.
  2. Publish a SHA256SUMS file at release time and have the install action fetch + verify it (curl … && curl … SHA256SUMS && sha256sum -c).
  3. Use cosign verify-blob against the existing .provenance.json (would need a sigstore/cosign-installer step in the install action too).

Happy to send a PR once you indicate which path you'd prefer.

(This is a security-process finding; nothing suggests the current binaries are bad — but a runner that fetches them has no way to detect tampering or registry compromise without an explicit verification step.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions