Dockerfile: mitigate certain supply chain attacks using sha256sums #99
Conversation
Currently, the Dockerfile downloads various tools and SDKs from external sources without verifying their integrity. This poses a potential security risk as the downloaded files could be tampered with during transit or at the source (supply chain attack). This change introduces SHA256 checksums for all downloaded artifacts and verifies them before installation. This ensures that the files we receive match exactly what we expect, mitigating the risk of supply chain attacks where malicious actors might try to inject compromised versions of these tools. Signed-off-by: Petr Štetiar <[email protected]>
|
Silicon Labs unfortunately doesn't provide stable URLs to their software so the checksums will just constantly change as they release new versions. The checksum for slc-cli is now |
|
So there is no way to check the integrity of the tarballs? |
|
Not without making the Docker container builds fail at some point in the future. All of the The other URLs, however, are stable. |
|
Yeah, seems to be a known issue for quite some time https://community.silabs.com/s/question/0D58Y00008rSY1pSAG/slc-cli-access-to-released-versions Looking around, I found https://github.com/SiliconLabs/UnifySDK/blob/main/docker/uic-resources/linux/slc_cli_linux.zip |
Currently, the Dockerfile downloads various tools and SDKs from external sources without verifying their integrity. This poses a potential security risk as the downloaded files could be tampered with during transit or at the source (supply chain attack).
This change introduces SHA256 checksums for all downloaded artifacts and verifies them before installation. This ensures that the files we receive match exactly what we expect, mitigating the risk of supply chain attacks where malicious actors might try to inject compromised versions of these tools.