Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security: Allow to verify the hash of downloaded roles #2108

Open
philipp-classen opened this issue Nov 18, 2019 · 0 comments
Open

Security: Allow to verify the hash of downloaded roles #2108

philipp-classen opened this issue Nov 18, 2019 · 0 comments
Labels
type/proposal

Comments

@philipp-classen
Copy link

Feature Request

Use Case

Currently, there is no easy way to verify the integrity of a downloaded role. That opens the possibility for supply chain attacks:

Assume that some attacker gets access to a repository. Relying on Git tags alone is unsafe, as an attacker with write access can move them. That allows to push arbitrary rules.

Previous related discussions:
ansible/ansible#14604
#1358

Proposed Solution

To mitigate that risk, the Git hash could be specified when describing the dependency and then verify it when downloading via "ansible-galaxy install".

Alternatives

Currently, there are ways to achieve pinning by Git hash, but they are not very elegant. For example, this is what I'm using:

https://devops.stackexchange.com/q/9836/2708

Implementation
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
type/proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chouseknecht @philipp-classen