From f37f2eff68c31620fd88bc37ff2b7d57ea0c700c Mon Sep 17 00:00:00 2001 From: Shubham Hibare <20609766+hibare@users.noreply.github.com> Date: Fri, 12 Jan 2024 01:26:21 +0530 Subject: [PATCH] feat(installation): Implement checksum signature verification (#2157) * feat(installation): Implement checksum signature verification * Add cosign notes * Use vars * use var --- README.md | 7 +++++++ scripts/install.sh | 37 +++++++++++++++++++++++++++++++++++-- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 19d9b030e048..8507980d9412 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,10 @@ cd trufflehog; go install # Using installation script curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + +# Using installation script, verify checksum signature (requires cosign to be installed) +curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -v -b /usr/local/bin + # Using installation script to install a specific version curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin ``` @@ -103,6 +107,9 @@ Verification steps are as follow: Replace `{version}` with the downloaded files version +Alternatively, if you are using installation script, pass `-v` option to perform signature verification. +This required Cosign binary to be installed prior to running installation script. + # :rocket: Quick Start ## 1: Scan a repo for only verified secrets diff --git a/scripts/install.sh b/scripts/install.sh index 97d6ddc7e407..98fc55721985 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -9,6 +9,7 @@ $this: download go binaries for trufflesecurity/trufflehog Usage: $this [-b] bindir [-d] [tag] -b sets bindir or installation directory, Defaults to ./bin -d turns on debug logging + -v verify checksum signature. Require cosign binary to be installed. [tag] is a tag from https://github.com/trufflesecurity/trufflehog/releases If tag is missing, then the latest will be used. @@ -22,10 +23,11 @@ parse_args() { # over-ridden by flag below BINDIR=${BINDIR:-./bin} - while getopts "b:dh?x" arg; do + while getopts "b:dvh?x" arg; do case "$arg" in b) BINDIR="$OPTARG" ;; d) log_set_priority 10 ;; + v) VERIFY_SIGN=true;; h | \?) usage "$0" ;; x) set -x ;; esac @@ -41,8 +43,15 @@ parse_args() { execute() { tmpdir=$(mktemp -d) log_debug "downloading files into ${tmpdir}" - http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}" http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}" + + if [ "$VERIFY_SIGN" = true ]; then + http_download "${tmpdir}/${CHECKSUM}.${CERT_FORMAT}" "${CHECKSUM_URL}.${CERT_FORMAT}" + http_download "${tmpdir}/${CHECKSUM}.${SIG_FORMAT}" "${CHECKSUM_URL}.${SIG_FORMAT}" + verify_sign "${tmpdir}/${CHECKSUM}" "${tmpdir}/${CHECKSUM}.${CERT_FORMAT}" "${tmpdir}/${CHECKSUM}.${SIG_FORMAT}" + fi + + http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}" hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}" srcdir="${tmpdir}" (cd "${tmpdir}" && untar "${TARBALL}") @@ -326,6 +335,24 @@ hash_sha256_verify() { fi } +check_cosign_bin() { + if [ "$VERIFY_SIGN" = true ]; then + if [ ! -x "$(command -v "$COSIGN_BINARY")" ]; then + log_err "Cosign binary is not installed. Follow steps from https://docs.sigstore.dev/system_config/installation/ to install it." + return 1 + fi + fi +} + +verify_sign() { + log_debug "Verifying artifact $1" + ${COSIGN_BINARY} verify-blob "$1" \ + --certificate "$2" \ + --signature "$3" \ + --certificate-identity-regexp "https://github\.com/${OWNER}/${REPO}/\.github/workflows/.+" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" +} + cat /dev/null <