Skip to content

Dockerfile: mitigate certain supply chain attacks using sha256sums#99

Closed
ynezz wants to merge 1 commit intoNabuCasa:mainfrom
ynezz:ynezz/sha256sums
Closed

Dockerfile: mitigate certain supply chain attacks using sha256sums#99
ynezz wants to merge 1 commit intoNabuCasa:mainfrom
ynezz:ynezz/sha256sums

Conversation

@ynezz
Copy link
Copy Markdown

@ynezz ynezz commented Jan 6, 2025

Currently, the Dockerfile downloads various tools and SDKs from external sources without verifying their integrity. This poses a potential security risk as the downloaded files could be tampered with during transit or at the source (supply chain attack).

This change introduces SHA256 checksums for all downloaded artifacts and verifies them before installation. This ensures that the files we receive match exactly what we expect, mitigating the risk of supply chain attacks where malicious actors might try to inject compromised versions of these tools.

@ynezz
Dockerfile: mitigate certain supply chain attacks using sha256sums
f621979 
Currently, the Dockerfile downloads various tools and SDKs from external sources
without verifying their integrity. This poses a potential security risk as the
downloaded files could be tampered with during transit or at the source (supply
chain attack).

This change introduces SHA256 checksums for all downloaded artifacts and
verifies them before installation. This ensures that the files we receive
match exactly what we expect, mitigating the risk of supply chain attacks
where malicious actors might try to inject compromised versions of these
tools.

Signed-off-by: Petr Štetiar <petr.stetiar@prplfoundation.org>
@puddly
Copy link
Copy Markdown
Collaborator

puddly commented Jan 6, 2025

Silicon Labs unfortunately doesn't provide stable URLs to their software so the checksums will just constantly change as they release new versions. The checksum for slc-cli is now a231690468273272427ea7c094429d86099d99a2511622d18f6d0b928e23767f.

@ynezz
Copy link
Copy Markdown
Author

ynezz commented Jan 6, 2025

So there is no way to check the integrity of the tarballs?

@puddly
Copy link
Copy Markdown
Collaborator

puddly commented Jan 6, 2025
edited
Loading

Not without making the Docker container builds fail at some point in the future. All of the https://www.silabs.com/documents/login/software/* URLs point to constantly-updating ZIP releases so the Dockerfile will just stop working when they change it. So if the container needs to be rebuilt, it's possible that the hashes will be out-of-date.

The other URLs, however, are stable.

@ynezz
Copy link
Copy Markdown
Author

ynezz commented Jan 7, 2025
edited
Loading

Yeah, seems to be a known issue for quite some time https://community.silabs.com/s/question/0D58Y00008rSY1pSAG/slc-cli-access-to-released-versions

Looking around, I found https://github.com/SiliconLabs/UnifySDK/blob/main/docker/uic-resources/linux/slc_cli_linux.zip

@puddly puddly mentioned this pull request Jan 20, 2026
Merged
@puddly
Copy link
Copy Markdown
Collaborator

puddly commented Jan 21, 2026

This has finally been implemented via #175. We rely on caching layers to avoid recomputing checksums unnecessarily, still waiting on Silicon Labs to implement stable URLs.

@puddly puddly closed this Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ynezz @puddly