Check micromamba artifact signature

[westurner]

It should check the checksum and/or signature of the micromamba artifact.

References:

• https://slsa.dev/ (...)

[westurner]

• devcontainer-features/src/micromamba/install.sh

  Lines 38 to 60 in e7ecfc7

  	download_with_curl() {
  	local url=$1
  	local destination=$2
  	curl -sL "${url}" | tar -xj -C "${destination}" --strip-components=1 bin/micromamba
  	}
  	install_micromamba() {
  	local version=$1
  	local destination=$2
  	local arch
  	local url
  	arch="$(uname -m)"
  	if [ "$(uname -m)" = "x86_64" ]; then
  	arch="64"
  	fi
  	url="https://micro.mamba.pm/api/micromamba/linux-${arch}/${version}"
  	echo "Installing prerequisites for downloading micromamba..."
  	ensure_download_prerequisites
  	echo "Downloading micromamba from ${url}..."
  	download_with_curl "${url}" "${destination}"
  	echo "Micromamba download complete."
  	}

[eitsupi]

How do you expect to check the correct hash?
Is downloading hash values from the internet better than not checking anything?

[westurner]

It looks like https://github.com/mamba-org/setup-micromamba/blob/main/src/main.ts doesn't check a checksum or a signature either? From ***@***.***/introducing-mamba-2-0-0e8d5c6d1d0c :

Mamba 2.0 comprises a solid implementation of The Update Framework (TUF)

for package signing and general software supply chain security, and an implementation of the conda content trust protocol based upon TUF. SLSA.dev (TUF,) describes why provenance i.e. signatures is necessary though there is HTTPS SSL/TLS w/ distributed global CA cert bundles: https://github.com/slsa-framework/slsa-github-generator#generate-provenance https://peps.python.org/pep-0458/#integrating-pypi-with-tuf :

Second, it must add the framework to the client side of the update

system. For example, TUF MAY be integrated with the pip package manager. Thus, new versions of pip going forward SHOULD use TUF by default to download and verify distributions from PyPI before installing them. To bootstrap Pip there's ensurepip, which is periodically inlined into CPython IIRC; python -m ensurepip -U && python -m pip install

…

On Wed, Jan 15, 2025, 10:10 PM eitsupi ***@***.***> wrote: How do you expect to check the correct hash? Is downloading hash values from the internet better than not checking anything? — Reply to this email directly, view it on GitHub <#29 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAMNSYNYBDOBR22XGK3LIT2K4PL5AVCNFSM6AAAAABVIOUMLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJUGM4DEOBZGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>