Files · 01710d041f2cdbdbbae1c1e145eb1e23ff998e07 · Linshizhi / Chromium_Depot_tools

[cipd] Pin hashes of CIPD packages. · 01710d04

Vadim Shtayura authored Sep 18, 2018

Together with already committed cipd_client_version.digests file, this
cryptographically binds contents of CIPD packages used by depot_tools
with depot_tool's git revision (assuming the CIPD client pinned by
cipd_client_version.digests is trusted too, which can presumably be
verified when it is being pinned).

This holds true even if the CIPD backend is compromised. The worst that
can happen is a denial of service (e.g. if the backend refuses to serve
packages at all).

If a bad backend tries to serve a malicious (unexpected) CIPD client,
'cipd' bootstrap script (and its powershell counterpart) will detect
a mismatch between SHA256 of the fetched binary and what's specified in
cipd_client_version.digests, and will refuse to run the untrusted binary.

Similarly, if the bad backend tries to serve some other unexpected
package (in place of a package specified in cipd_manifest.txt), the CIPD
client (already verified and trusted as this point) will detect a mismatch
between what was fetched and what's pinned in cipd_manifest.versions, and
will refuse to install untrusted files.

cipd_manifest.versions was generated from cipd_manifest.txt by:
$ cipd ensure-file-resolve -ensure-file cipd_manifest.txt

This will have to be rerun each time cipd_manifest.txt is updated. There's
a presubmit check that verifies *.versions file is up-to-date (it's part
of 'cipd ensure-file-verify').

BUG=870166
R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org

Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5
Reviewed-on: https://chromium-review.googlesource.com/1227435
Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>
Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>

01710d04

Name	Last commit	Last update
bootstrap/win		Loading commit data...
fetch_configs		Loading commit data...
git-templates		Loading commit data...
infra		Loading commit data...
man		Loading commit data...
recipes		Loading commit data...
support		Loading commit data...
testing_support		Loading commit data...
tests		Loading commit data...
third_party		Loading commit data...
win_toolchain		Loading commit data...
zsh-goodies		Loading commit data...
.gitattributes		Loading commit data...
.gitignore		Loading commit data...
.style.yapf		Loading commit data...
LICENSE		Loading commit data...
OWNERS		Loading commit data...
PRESUBMIT.py		Loading commit data...
README.gclient.md		Loading commit data...
README.git-cl.md		Loading commit data...
README.md		Loading commit data...
README.testing		Loading commit data...
WATCHLISTS		Loading commit data...
annotated_gclient.py		Loading commit data...
appengine_mapper.py		Loading commit data...
auth.py		Loading commit data...
autoninja		Loading commit data...
autoninja.bat		Loading commit data...
autoninja.py		Loading commit data...
breakpad.py		Loading commit data...
buildbucket.py		Loading commit data...
cbuildbot		Loading commit data...
checkout.py		Loading commit data...
chrome_set_ver		Loading commit data...
cipd		Loading commit data...
cipd.bat		Loading commit data...
cipd.ps1		Loading commit data...
cipd_bin_setup.bat		Loading commit data...
cipd_bin_setup.sh		Loading commit data...
cipd_client_version		Loading commit data...
cipd_client_version.digests		Loading commit data...
cipd_manifest.txt		Loading commit data...
cipd_manifest.versions		Loading commit data...
cit		Loading commit data...
cit.bat		Loading commit data...
cit.py		Loading commit data...
clang-format		Loading commit data...
clang-format.bat		Loading commit data...
clang_format.py		Loading commit data...
clang_format_merge_driver		Loading commit data...
clang_format_merge_driver.bat		Loading commit data...
clang_format_merge_driver.py		Loading commit data...
codereview.settings		Loading commit data...
compile_single_file		Loading commit data...
compile_single_file.bat		Loading commit data...
compile_single_file.py		Loading commit data...
cpplint.bat		Loading commit data...
cpplint.py		Loading commit data...
cpplint_chromium.py		Loading commit data...
cros		Loading commit data...
cros_sdk		Loading commit data...
dart_format.py		Loading commit data...
depot-tools-auth		Loading commit data...
depot-tools-auth.bat		Loading commit data...
depot-tools-auth.py		Loading commit data...
detect_host_arch.py		Loading commit data...
download_from_google_storage		Loading commit data...
download_from_google_storage.bat		Loading commit data...
download_from_google_storage.py		Loading commit data...
ensure_bootstrap		Loading commit data...
fetch		Loading commit data...
fetch.bat		Loading commit data...
fetch.py		Loading commit data...
fix_encoding.py		Loading commit data...
gclient		Loading commit data...
gclient-new-workdir.py		Loading commit data...
gclient.bat		Loading commit data...
gclient.py		Loading commit data...
gclient_completion.sh		Loading commit data...
gclient_eval.py		Loading commit data...
gclient_scm.py		Loading commit data...
gclient_utils.py		Loading commit data...
gerrit_client.py		Loading commit data...
gerrit_util.py		Loading commit data...
git-cache		Loading commit data...
git-cl		Loading commit data...
git-crrev-parse		Loading commit data...
git-crsync		Loading commit data...
git-drover		Loading commit data...
git-find-releases		Loading commit data...
git-footers		Loading commit data...
git-freeze		Loading commit data...
git-gs		Loading commit data...
git-hyper-blame		Loading commit data...
git-map		Loading commit data...
git-map-branches		Loading commit data...
git-mark-merge-base		Loading commit data...
git-nav-downstream		Loading commit data...
git-nav-upstream		Loading commit data...
git-new-branch		Loading commit data...
git-number		Loading commit data...
git-rebase-update		Loading commit data...
git-rename-branch		Loading commit data...
git-reparent-branch		Loading commit data...
git-retry		Loading commit data...
git-runhooks		Loading commit data...
git-squash-branch		Loading commit data...
git-thaw		Loading commit data...
git-upstream-diff		Loading commit data...
git_cache.py		Loading commit data...
git_cl.py		Loading commit data...
git_cl_completion.sh		Loading commit data...
git_common.py		Loading commit data...
git_dates.py		Loading commit data...
git_drover.py		Loading commit data...
git_find_releases.py		Loading commit data...
git_footers.py		Loading commit data...
git_freezer.py		Loading commit data...
git_hyper_blame.py		Loading commit data...
git_map.py		Loading commit data...
git_map_branches.py		Loading commit data...
git_mark_merge_base.py		Loading commit data...
git_nav_downstream.py		Loading commit data...
git_new_branch.py		Loading commit data...
git_number.py		Loading commit data...
git_rebase_update.py		Loading commit data...
git_rename_branch.py		Loading commit data...
git_reparent_branch.py		Loading commit data...
git_retry.py		Loading commit data...
git_squash_branch.py		Loading commit data...
git_upstream_diff.py		Loading commit data...
gn		Loading commit data...
gn.bat		Loading commit data...
gn.py		Loading commit data...
gsutil.py		Loading commit data...
gsutil.vpython		Loading commit data...
led		Loading commit data...
led.bat		Loading commit data...
luci-auth		Loading commit data...
luci-auth.bat		Loading commit data...
mac_toolchain		Loading commit data...
metrics.README.md		Loading commit data...
metrics.py		Loading commit data...
metrics_utils.py		Loading commit data...
my_activity.py		Loading commit data...
my_reviews.py		Loading commit data...
ninja		Loading commit data...
ninja-linux32		Loading commit data...
ninja-linux64		Loading commit data...
ninja-mac		Loading commit data...
ninja.exe		Loading commit data...
owners.py		Loading commit data...
owners_finder.py		Loading commit data...
patch.py		Loading commit data...
post_build_ninja_summary.py		Loading commit data...
presubmit_canned_checks.py		Loading commit data...
presubmit_support.py		Loading commit data...
profile.xml		Loading commit data...
prpc		Loading commit data...
prpc.bat		Loading commit data...
pylint		Loading commit data...
pylint.py		Loading commit data...
pylintrc		Loading commit data...
python_runner.sh		Loading commit data...
repo		Loading commit data...
rietveld.py		Loading commit data...
roll-dep		Loading commit data...
roll-dep-svn		Loading commit data...
roll-dep-svn.bat		Loading commit data...
roll-dep.bat		Loading commit data...
roll_dep.py		Loading commit data...
roll_dep_svn.py		Loading commit data...
scm.py		Loading commit data...
setup_color.py		Loading commit data...
split_cl.py		Loading commit data...
subcommand.py		Loading commit data...
subprocess2.py		Loading commit data...
update_depot_tools		Loading commit data...
update_depot_tools.bat		Loading commit data...
update_depot_tools_toggle.py		Loading commit data...
upload_metrics.py		Loading commit data...
upload_to_google_storage.py		Loading commit data...
vpython		Loading commit data...
vpython.bat		Loading commit data...
watchlists.py		Loading commit data...
weekly		Loading commit data...
wtf		Loading commit data...
yapf		Loading commit data...
yapf.bat		Loading commit data...

README.md