Encrypt balenaOS artifacts at rest in GitHub #410
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Failure
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Failure
auto-merge was automatically disabled
September 12, 2024 23:41
Pull request was converted to draft
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Error
ab77
force-pushed
the
ab77/patch
branch
2 times, most recently
from
de6b1a6
to
4988c33
Compare
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Error
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Failure
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Failure
ab77
had a problem deploying
to
balena-staging.com
GitHub Actions
Failure
ab77
temporarily deployed
to
balena-staging.com
GitHub Actions
Inactive
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
|
How can we make this conditional? Ideally we would only encrypt artifacts if certain conditions are met, like if the repository is public and sign image is enabled, for example. Also please include a link to the Fibery improvement in the body of the PR. |
ab77
temporarily deployed
to
balena-staging.com
GitHub Actions
Inactive
klutchell
reviewed
Sep 16, 2024
klutchell
reviewed
Sep 16, 2024
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
ab77
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
ab77
force-pushed
the
ab77/patch
branch
2 times, most recently
from
821c243
to
805967d
Compare
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
rcooke-warwick
force-pushed
the
ab77/patch
branch
from
0e54aea
to
2ab54ff
Compare
rcooke-warwick
temporarily deployed
to
balena-staging.com
GitHub Actions
Inactive
rcooke-warwick
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
rcooke-warwick
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
rcooke-warwick
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
Applies symmetric encryption (PBKDF2 hardened) to balenaOS build assets prior to uploading them to GitHub for temporary storage between builds. Decrypts assets after downloading. Requires: balena-os/.github#83 change-type: patch
Signed-off-by: Kyle Harding <[email protected]>
Signed-off-by: Kyle Harding <[email protected]>
Signed-off-by: Kyle Harding <[email protected]>
Change-type: patch Signed-off-by: Kyle Harding <[email protected]>
klutchell
temporarily deployed
to
balena-staging.com
GitHub Actions
Inactive
|
This is tested and working with both encrypt and decrypt here: https://github.com/balena-os/balena-raspberrypi/actions/runs/11126932142/job/30919311161?pr=1180 |
rcooke-warwick
approved these changes
Oct 1, 2024
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
klutchell
had a problem deploying
to
balena-cloud.com
GitHub Actions
Failure
Change-type: patch Signed-off-by: Ryan Cooke<[email protected]>
rcooke-warwick
temporarily deployed
to
balena-staging.com
GitHub Actions
Inactive
klutchell
reviewed
Oct 1, 2024
| @@ -1138,6 +1138,9 @@ jobs: | |||
| path: ${{ env.WORKSPACE }} | |||
|
|
|||
| - name: Decrypt artifacts | |||
| if: | | |||
| github.event.repository.private != true && | |||
| (inputs.sign-image == true || needs.build.outputs.is_private == 'true') | |||
There was a problem hiding this comment.
@rcooke-warwick I asked Anton to remove this so we had one fewer place where conditions were used to decide between encryption and decryption. Like if we changed the conditions for encryption and forgot to update the decryption conditions, it might take a while to notice we broke it.
Was it not correctly detecting the lack of *.enc files?
There was a problem hiding this comment.
Thats right,
Run for artifact in *.enc **/*.enc; do
+ for artifact in *.enc **/*.enc
+ openssl enc -v -d -aes-256-cbc -k *** -pbkdf2 -iter 310000 -md sha256 -salt -in '*.enc' -out '*'
bufsize=8192
Can't open "*.enc" for reading, No such file or directory
40D756EFD17F0000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(*.enc, rb)
40D756EFD17F0000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
There was a problem hiding this comment.
If we're too lenient about the logic in this step passing, we risk scenarios like:
- we break the encryption step
- we break the decryption step
- we change the logic to .enc files get written to a different place, or are called something else
And then trying to flash the DUT with whatever, or getting as far as the tests, which will then fail - but its harder to ID where the failure happened if it gets that far. Just to keep in mind
rcooke-warwick
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
rcooke-warwick
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
rcooke-warwick
temporarily deployed
to
balena-cloud.com
GitHub Actions
Inactive
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Applies symmetric encryption (PBKDF2 hardened) to balenaOS build assets prior to uploading them to GitHub for temporary storage between builds. Decrypts assets after downloading.
Requires: https://github.com/balena-os/.github/pull/83
Depends-on: balena-os/balena-generic#525
https://balena.fibery.io/Work/Improvement/Encrypt-artifacts-used-between-jobs-2070