Improve Script Safety with Checksum/Signature Verification?
Opened this issue · 0 comments
Should we add new (optional) functionality that would facilitate NHC doing load-time checking of cryptographic signatures and/or checksums on script and/or config files? or is this a dumb idea?
I'm not sure if this one is worthwhile or makes sense (as the new "maybe?" label indicates), so your feedback is most welcome! And to be clear: I realize that using root
-writable checksums to compare against root
-writable script files is not a security feature! But if done properly, cryptographic signatures can be.
I would imagine this taking the form of either a file of filename:checksum
pairs or a directory of files containing the normal output of the standard checksum commands (such as sha256sum
); there are lots of ways to do it, so if you have a better idea, please let me know! 😁
So what do you think? Good idea, bad idea, or don't care either way?