Share this page!

Mohammed S. Al Sahaf Profile picture
Twitter logo
Sep 20 13 tweets 8 min read
Whoa, what happened here?! How did @caddyserver release assets count go from 28 to 134?

Well, @projectsigstore happened! Buckle up 🏎️
Since the initial days of v2 and before v2 being GA, we worked on having #ReproducibleBuilds. Much of this was easy thanks to @GoReleaser (go sponsor @caarlos0!) and @golang tooling!

blog.goreleaser.com/reproducible-b…
The tooling allows having byte-for-byte match between two binaries if build your own from scratch using tools. In other words, cloning the repo and building v2.x.x using @GoReleaser on your own machines should give you 0-diff binary compared to the ones produced by our CI/CD.
Sweet! We still have a missing piece of the puzzle: signing the artifacts. This was me after wrestling with gpg on the same day of setting up our CI/CD flows. We have hashes, but who says the artifacts and the hashes were not MitM-ed? 🫤

Signing proves the integrity of the artifact and the identity of the person putting their John Hancock on it. We had an incident in late 2020 where CI/CD executed the release workflow on due to tag pushed on a fork. How do we know the tag is approved?

Our fix to that issue was by including a step in our workflow to reject tags not signed by @mholt6, the BDFL of @caddyserver, plain and simple. I admit, this was a band-aid.

github.com/caddyserver/ca…
Binaries are still not signed, though. How do we publicly prove the integrity of the binaries, proving the identity of the subject behind the signing key, prove the validity of the signature and the keys, and prove all is in order?

Enter @projectsigstore
redhat.com/en/blog/sigsto…
.@projectsigstore is an initiative to create an ecosystem to generate code-signing certs, publicly publish cert transparency logs (tlog), the signatures, and everything in between by utilizing the identity information embedded in CI/CD envs.

security.googleblog.com/2021/03/introd…
You can read about the design of @projectsigstore here:

docs.google.com/document/d/146…
Yet again, with the help of @GoReleaser, it was easy to add not only keyless signatures with @projectsigstore, but also SBOMs for all binaries attached to releases. Moreover, all artifacts are signed, be it archives, SBOM, or checksum file!

Sign all the things!
In sum: @caddyserver git tags are signed, SBOMs are provided and signed, builds are reproducible and checksumed and signed, and signatures are publicly published. Are we still trusting trust of the supply chain?

We'll publish instructions on how to verify the signatures 📑
We're probably too late to the party, @lorenc_dan, but the answer is: Yes, as of v2.6.0-beta*

Huge shout out to @GoReleaser

blog.goreleaser.com/goreleaser-and…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mohammed S. Al Sahaf

Mohammed S. Al Sahaf Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MohammedSahaf

Mohammed S. Al Sahaf Profile picture
Jul 10
What is the maximum UID and GID? Can they be negative numbers?
To begin the investigation, we need to first know the type limitation. Is it an int or uint? @Wikipedia says it's signed int, but the sign bit is ignored, so 2^x ? x= ?

en.wikipedia.org/wiki/User_iden…
en.wikipedia.org/wiki/Group_ide…
Still... (u?)int? Both Linux and macOS define {g,u}id as uint. Can we assume we will never encounter a negative {u,g}id? Hahaha, innocent of you to assume! On macOS, /etc/{passwd,group} has entries for `nobody` with {g,u}id of -2.

opensource.apple.com/source/xnu/xnu…

github.com/torvalds/linux…
Is this a bug? Well, no.
You see, if you `egrep '(UID|GID)_MAX' /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/syslimits.h` on macOS, you'll find `?_MAX 2147483647U /* max value for a ?_t (2^31-2) */`, which means they account for the -2 underflow!!!
Read 4 tweets
Mohammed S. Al Sahaf Profile picture
Jul 5
Few days ago I sent a PR to the caddy-ssh to properly handle 2 aspects of PTY sessions:

1- properly channeling of std{in,out} to remote when user sends commands

2- user details lookup on macOS

Buckle up! We have a can of worms in hand 🥫🪱 🧵

#golang

github.com/mohammed90/cad…
Issue 1:

The issue was recognized when a friend reported `scp` and `rsync` not working. I found the culprit to be not hooking up the session's/channel's I/O to spawned process, otherwise the new process assumed the null devices as its std{in,out,err}.
In other words, the newly created process was not reading/writing to/from the client's shell, rather from, e.g., secondary tty device (pair of the pty device). Thus the I/O was not channeled from the client to the process, rather to the PTY session.

dev.to/napicella/linu…
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(