Use Mozilla's CA certificate store for libgit2 SSL certificates. #24212
Conversation
deps/libgit2.mk
Outdated
| $(eval TMP_CACERT_SHA256:=$(shell mktemp cacert-2017-09-20.XXXX.pem.sha256)) | ||
| echo "435ac8e816f5c10eaaf228d618445811c16a5e842e461cb087642b6265a36856 *cacert-2017-09-20.pem" > $(TMP_CACERT_SHA256) | ||
| $(JLDOWNLOAD) $(shell pwd)/cacert-2017-09-20.pem https://curl.haxx.se/ca/cacert-2017-09-20.pem | ||
| sha256sum --check $(TMP_CACERT_SHA256) |
There was a problem hiding this comment.
Unfortunately, I don't think we can just assume that sha256sum is available, sometimes we need to use shasum -a 256. See the jlchecksum tool for what we've found to work reliably. In fact, it might be neat if we could just use jlchecksum to do the checking here. To do so, download the cacert-2017-09-20.pem file, then run ./deps/tools/jlchecksum cacert-2017-09-20.pem. It will say something like "checksums not found, autogenerating...", then there will be two new files within deps/checksums. Then, if you ask jlchecksum to verify a file with the same filename, it will check against those checksums within the build tree.
There was a problem hiding this comment.
I have modified this section to use $(JLCHECKSUM), but I feel that the MD5 checksum verification as a fallback is not recommended for security (similar to using SHA1 checksums).
Since there is only SHA512 and MD5 checksum verification with the jlchecksum script, perhaps the build should fail if the system does not provide more than MD5 checksum verifications.
deps/libgit2.mk
Outdated
| $(build_datarootdir)/julia/cert.pem: | ||
| $(eval TMP_CACERT_SHA256:=$(shell mktemp cacert-2017-09-20.XXXX.pem.sha256)) | ||
| echo "435ac8e816f5c10eaaf228d618445811c16a5e842e461cb087642b6265a36856 *cacert-2017-09-20.pem" > $(TMP_CACERT_SHA256) | ||
| $(JLDOWNLOAD) $(shell pwd)/cacert-2017-09-20.pem https://curl.haxx.se/ca/cacert-2017-09-20.pem |
There was a problem hiding this comment.
Is there a rule of thumb that says when we should bump up to newer cacert releases? We might need to add some kind of automated reminder so that we don't forget about it. What is a reasonable timeframe to bump this up? Once a month? Once every six months?
There was a problem hiding this comment.
Well, according the dates of past cacert.pem revisions (here), the updates have come out between 2 months to 5 months.
|
This is looking really good, @mikhail-j. I have two comments, which I have left inline. I think using |
|
I mentioned in my earlier response to one of your review comments (they're hidden because github marked them outdated), the MD5 checksum verification as a fallback is not recommended for security (similar to using SHA1 checksums). As there is only SHA512 and MD5 checksum verification with the jlchecksum script, perhaps the build should fail if the system does not provide more than MD5 checksum verifications. |
|
@staticfloat I forgot to tag you in my previous comment. |
|
Thanks Mikhail, this is good. We're not going to worry about the cryptographic weakness of MD5, because the purpose of this hash checking is more to ensure integrity than to protect against a malicious adversary. Although we, of course, prefer a strong hash such as SHA512 where we get integrity assurance WITH strong cryptographic guarantees, using MD5 is much better than nothing. |
I've closed my previous PR (#23807) earlier today when I reorganized my fork into 2 new branches.
@staticfloat @tkelman
As requested, I've modified libgit2.mk to download (using jldownload) and verify the SHA256 checksum of the CA certificate store extracted from Mozilla (specifically the 09/20/2017 version) available as cacert.pem from the official curl project website (here).