Add integrity checks for packages

Question

Add integrity checks for packages

Closed this issue 3 years ago · 3 comments

I love the idea of Hermit, but given that it downloads pre-compiled binary archives, it seems to me it can be vulnerable to supply-chain attacks: someone could replace an existing archive from a server and Hermit would download it without noticing the change. This could be mitigated by storing a sha256 checksum of each version in the package manifest.

Answer 1 · 2022-05-03T00:13:29.000Z

Hermit does support this (search for sha256).

Answer 2 · 2022-05-04T08:21:14.000Z

Oh that's nice, but it doesn't look very widespread. Do you plan to make it mandatory?

Answer 3 · 2022-05-05T10:49:14.000Z

We've talked about this a bit in the past, and the issue is that sha256 can't coexist with auto-versioning. We would need to add support for a sha256sums = {...} map, but do not currently have the bandwidth.