Downloads should be validated #97
Comments
|
Nice idea and probably easier to implement than #17. :) |
|
Oooh, I like the idea behind #17! It "automates" some of the work. Sorry, I filed this bug with a solution in mind rather than just asking for what I want... The title of the bug ("Downloads should be validated") is what I'd like, my comment above is a suggestion on how to do it and can be ignored :) Maybe someone more versed in these things can guide you on whether #17 is enough or if pinning SHAs is "more secure" as it would protect against the bazel key being compromised. |
|
@philwo @alexeagle Just wanted to see if this is in the current work queue for your team. It would probably block any wide-spread adoption of bazelisk within our company. Thanks! |
|
My browser is refusing to download the most recent version of of Bazelisk on Windows - it says a virus was detected. Has the download been tainted? |
|
@rayhoffmann-ANSYS Thanks for letting me know. We had false positives with Chrome’s malicious binary checking in the past and I had to escalate them with the team to get them removed from there. But I’ll inspect this personally just to make sure! Could you let me know whether you’re running a virus scanner and if yes which one on your computer? |
|
I checked https://github.com/bazelbuild/bazelisk/releases/download/v1.6.1/bazelisk-windows-amd64.exe with virustotal.com and it came back all green (nothing detected). I’d assume a false positive, but would still like to resolve this. Any details about your virus scanner that complained about the binary would be welcome. |
|
We had McAfee installed on our computers. Windows Defender is running. |
|
Hi @philwo, we are having the same issue as reported by @rayhoffmann-ANSYS. See here: https://www.virustotal.com/gui/file/eed3dd5ee2433275eab79f999276a7cc5d082a0360c439cb370183eaa94fc293/detection. I just tried uploading the latest windows binary and it comes back as green: https://www.virustotal.com/gui/url/494f82b50db61451cc09367b664dfb061ee22bb7fed9c641590fbf77a156c2c8/detection, strange. |
|
@freddd Which version was the file that comes back red? Do you still have it? Oh, now I get it - if you upload the file it's red, but if you pass the URL in, it's green. Weird. 🤔 I'm looking into this. |
|
OK, I figured it out. Apparently Go binaries that are built for Windows often result in false positives: Especially when you use Here's my recommendation:
Bazelisk 1.6.1 as downloaded from GitHub has this SHA256: Repro instructions: I'm using a MacBook Pro (macOS 10.15.6), in case this matters - I'm not sure. If you also get the same hash, it's proven that the release binary was built from the unmodified sources of the tag v1.6.1. |
|
Bazelisk v1.7.1 contains the workaround and is now "only" flagged by three scanners on virustotal.com:
Unfortunately Microsoft is one of them, which I guess might cause trouble. 😞 I'll try to send this to them for analysis so that they can update their signatures to not mark this file. |
|
I thin #17 is not really bazel-ly. It would be nice to be able to checking a list of known SHA256 for corresponding bazel versions downloaded by bazelisk. That would helps shops with their own patched bazel releases to use bazelisk without having to bother about gpg sig. I also see that #17 is quite stale. How keen are you to review/merge an MR for SHA256 verify? |
fweikert
added
the
P3
The
.bazelversionfile should allow developers to specify the SHAs of the files downloaded so that we can rest easy knowing that the bazel used by bazelisk is, well, not tainted.The text was updated successfully, but these errors were encountered: