Commit Graph

53 Commits (9c96f7437ed546a93ba8b405d47265e50f1ca31c)

Author SHA1 Message Date
Robert Iannucci 22300e1fb5 [led] Roll led to add gerritcodereview scope to edit-cr-cl
R=tandrii@chromium.org, vadimsh@chromium.org

Change-Id: I1f235cf959e92e4430cff7dcd0d292db1721319d
Reviewed-on: https://chromium-review.googlesource.com/c/1257585
Reviewed-by: Vadim Shtayura <vadimsh@chromium.org>
Commit-Queue: Robbie Iannucci <iannucci@chromium.org>
7 years ago
Robert Iannucci 64b61330ec [led] Roll led to fix missing expiration_secs issue.
TBR=tandrii@chromium.org, vadimsh@chromium.org

Bug: 875089
Change-Id: Ia48c7c67df8bdbd9bc0573406bd9f56f6cfe5d49
Reviewed-on: https://chromium-review.googlesource.com/1241677
Reviewed-by: Robbie Iannucci <iannucci@chromium.org>
Reviewed-by: Vadim Shtayura <vadimsh@chromium.org>
Commit-Queue: Robbie Iannucci <iannucci@chromium.org>
7 years ago
Vadim Shtayura 01710d041f [cipd] Pin hashes of CIPD packages.
Together with already committed cipd_client_version.digests file, this
cryptographically binds contents of CIPD packages used by depot_tools
with depot_tool's git revision (assuming the CIPD client pinned by
cipd_client_version.digests is trusted too, which can presumably be
verified when it is being pinned).

This holds true even if the CIPD backend is compromised. The worst that
can happen is a denial of service (e.g. if the backend refuses to serve
packages at all).

If a bad backend tries to serve a malicious (unexpected) CIPD client,
'cipd' bootstrap script (and its powershell counterpart) will detect
a mismatch between SHA256 of the fetched binary and what's specified in
cipd_client_version.digests, and will refuse to run the untrusted binary.

Similarly, if the bad backend tries to serve some other unexpected
package (in place of a package specified in cipd_manifest.txt), the CIPD
client (already verified and trusted as this point) will detect a mismatch
between what was fetched and what's pinned in cipd_manifest.versions, and
will refuse to install untrusted files.

cipd_manifest.versions was generated from cipd_manifest.txt by:
$ cipd ensure-file-resolve -ensure-file cipd_manifest.txt

This will have to be rerun each time cipd_manifest.txt is updated. There's
a presubmit check that verifies *.versions file is up-to-date (it's part
of 'cipd ensure-file-verify').

BUG=870166
R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org

Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5
Reviewed-on: https://chromium-review.googlesource.com/1227435
Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>
Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>
7 years ago