fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

storage: change Artifact checksum to SHA256 

This changes the format of the Artifact checksum from SHA1 to SHA256 to
mitigate chosen-prefix and length extension attacks, and ensures it can
be used to secure content against malicious modifications.

Source consumers (including our own {kustomize,helm}-controllers)
should ensure the SHA256 of a downloaded artifact matches the
advertised checksum before making use of it.

Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals 2021-08-09 20:48:25 +02:00 committed by Aurel Canciu
parent f3f7193a53
commit fb688ffe8a
No known key found for this signature in database
GPG Key ID: AB25339971E6F81E
7 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/v1beta1/artifact_types.go
View File

@ -39,7 +39,7 @@ type Artifact struct {
// +optional // +optional
Revision string `json:"revision"` Revision string `json:"revision"`
// Checksum is the SHA1 checksum of the artifact. // Checksum is the SHA256 checksum of the artifact.
// +optional // +optional
Checksum string `json:"checksum"` Checksum string `json:"checksum"`

2
config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml
View File

@ -99,7 +99,7 @@ spec:
description: Artifact represents the output of the last successful Bucket sync. description: Artifact represents the output of the last successful Bucket sync.
properties: properties:
checksum: checksum:
description: Checksum is the SHA1 checksum of the artifact. description: Checksum is the SHA256 checksum of the artifact.
type: string type: string
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. description: LastUpdateTime is the timestamp corresponding to the last update of this artifact.

4
config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
View File

@ -154,7 +154,7 @@ spec:
description: Artifact represents the output of the last successful repository sync. description: Artifact represents the output of the last successful repository sync.
properties: properties:
checksum: checksum:
description: Checksum is the SHA1 checksum of the artifact. description: Checksum is the SHA256 checksum of the artifact.
type: string type: string
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. description: LastUpdateTime is the timestamp corresponding to the last update of this artifact.
@ -223,7 +223,7 @@ spec:
description: Artifact represents the output of a source synchronisation. description: Artifact represents the output of a source synchronisation.
properties: properties:
checksum: checksum:
description: Checksum is the SHA1 checksum of the artifact. description: Checksum is the SHA256 checksum of the artifact.
type: string type: string
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. description: LastUpdateTime is the timestamp corresponding to the last update of this artifact.

2
config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
View File

@ -116,7 +116,7 @@ spec:
description: Artifact represents the output of the last successful chart sync. description: Artifact represents the output of the last successful chart sync.
properties: properties:
checksum: checksum:
description: Checksum is the SHA1 checksum of the artifact. description: Checksum is the SHA256 checksum of the artifact.
type: string type: string
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. description: LastUpdateTime is the timestamp corresponding to the last update of this artifact.

2
config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
View File

@ -83,7 +83,7 @@ spec:
description: Artifact represents the output of the last successful repository sync. description: Artifact represents the output of the last successful repository sync.
properties: properties:
checksum: checksum:
description: Checksum is the SHA1 checksum of the artifact. description: Checksum is the SHA256 checksum of the artifact.
type: string type: string
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. description: LastUpdateTime is the timestamp corresponding to the last update of this artifact.

8
controllers/storage.go
View File

@ -19,7 +19,7 @@ package controllers
import ( import (
"archive/tar" "archive/tar"
"compress/gzip" "compress/gzip"
"crypto/sha1" "crypto/sha256"
"fmt" "fmt"
"hash" "hash"
"io" "io"
@ -421,7 +421,7 @@ func (s *Storage) Symlink(artifact sourcev1.Artifact, linkName string) (string,
return url, nil return url, nil
} }
// Checksum returns the SHA1 checksum for the data of the given io.Reader as a string. // Checksum returns the SHA256 checksum for the data of the given io.Reader as a string.
func (s *Storage) Checksum(reader io.Reader) string { func (s *Storage) Checksum(reader io.Reader) string {
h := newHash() h := newHash()
_, _ = io.Copy(h, reader) _, _ = io.Copy(h, reader)
@ -447,7 +447,7 @@ func (s *Storage) LocalPath(artifact sourcev1.Artifact) string {
return path return path
} }
// newHash returns a new SHA1 hash. // newHash returns a new SHA256 hash.
func newHash() hash.Hash { func newHash() hash.Hash {
return sha1.New() return sha256.New()
} }

2
docs/api/source.md
View File

@ -856,7 +856,7 @@ string
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>Checksum is the SHA1 checksum of the artifact.</p> <p>Checksum is the SHA256 checksum of the artifact.</p>
</td> </td>
</tr> </tr>
<tr> <tr>