back to article Need to automatically and securely verify a download is legit? You bet rget this new tool

Brandon Philips, a member of the technical staff at Red Hat, has created a software tool called rget for Linux, macOS, and Windows, to make it easier to determine whether downloaded files can be trusted. The command-line application is intended as an alternative to wget, a widely used tool for fetching files that has been …

  1. John Riddoch

    Not a panacea

    All it takes is someone hacking the server (or intermediary proxy) and deploying a trojanned file and updated hash, that's generally easier than manipulating a download in flight. It's an improvement on a blind download, at least.

    1. _LC_ Bronze badge

      Re: Not a panacea

      It goes without saying that there should be various mirrors, which do checking.

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Not a panacea

      John, can you explain how you'd get around to obtaining the merkle-tree head DNS entry, a certificate from the CA you use to sign your releases with, and how you'd get that served on the right endpoint? Just curious. Unless you didn't read how it works ofcourse :)

      1. phuzz Silver badge

        Re: Not a panacea

        There's at least two attacks I can think of:

        One: hack one of the existing developers and release the code using their identity, chances are they'll use the same credentials for uploading a new version as they do for updating the hash. Or it'll be a somewhat automated tool chain for pushing a new release. This could involve anything from pure social engineering to getting access to their physical hardware (ie stealing their laptop) or anything in between.

        Or, pretend to be a good developer and get granted your own credentials (more social engineering).

        (Similar to the second one would be buying an existing app from it's creator and updating it to do what you want).

        rget only protects against someone modifying an existing release, and assumes that they can't modify the file and the hash.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not a panacea

          Agreed! I just wanted to nuance things a little bit, as the earlier comment stated that only a hacked proxy would be required. If, as a developer, you don't have proper opsec and password hygiene around signing your releases, this mechanism most certainly will not help.

    4. Stratman

      Re: Not a panacea

      Blockchain! We need more blockchain!

      1. DownUndaRob
        Thumb Up

        Re: Not a panacea

        An ideal opportunity for blockchain to display its real use.

  2. Pascal Monett Silver badge

    "It would be awesome if Kubernetes [..] checked the container digest,"

    I think it's awesome that somebody finally did this. We've all been hearing about hash checks for decades, but this is finally going to make it part of standard checking automatically - or as near as possible.

    Sure, there's always a risk, but that does not diminish the value of this tool.

    1. eldakka Silver badge

      Re: "It would be awesome if Kubernetes [..] checked the container digest,"

      I think it's awesome that somebody finally did this.

      There are tools that do this already. E.g. DownThemAll plugin for Firefox can do this (well, the pre-Webextension Firefox anyway).

      All this is really doing is merging wget and the many standard utilities that exist for checking hashes anyway, so it removes a manual step (or having to write a trivial script that glues wget and hash checking together).

      1. Nifty

        Re: "It would be awesome if Kubernetes [..] checked the container digest,"

        I used to use DownThemAll till it was near impossible to prevent Firefox updating to Quantum version. DownThemAll still isn't available for Quantum which is the version of FF that is supported for security updates.

  3. Steve Graham

    Yes, but

    How about when web developers call external scripts from the likes of code.jquery.com?

    1. monty75

      Re: Yes, but

      That's what subresource integrity checks are for https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

    2. alain williams Silver badge

      Re: Yes, but

      They are muppets if they do so, unfortunately this is all too common.

      The problem with bringing in Javascript from all over the place is that it makes the web page fail if the visitor is running a Javascript blocker, as we do in increasing numbers to stop 3rd party adverts and privacy intrusion from things like google-analytics.

      If you want to use jQuery then dish it up from your own server, it is smaller than the corporate logo that you have on every page.

      1. GnuTzu Silver badge

        Re: Yes, but

        Oh, I've seen a few developers learn their lesson on this. They thought that they'd be keeping up-to-date by pulling directly from CloudFlare or Google. Tsk, tsk, all is not so easy.

  4. Anonymous Coward
    Anonymous Coward

    Store the keys on a blockchain ?

    Then they are distributed and immutable

    (ducks).

    1. Steve Button

      Re: Store the keys on a blockchain ?

      That's actually not a bad idea on the face of it. One of the few genuinely good uses for blockchain perhaps, which would probably scale well enough for what's needed (unlike money transactions).

      1. STOP_FORTH
        Joke

        Re: Store the keys on a blockchain ?

        I was thinking of a DNS type system where you have authoritative root hash servers that distribute hash lists to lower level servers.

        But I like blockchain better!

        Maybe we could also hash the hash list every so often, to makes sure nobody has made unauthorised changes? Then we could hash the hash of hashes just to be really sure? Then it's hashes all the way down?

  5. STOP_FORTH
    Trollface

    Huh! Just looked at a description of merkle trees (see AC comment near top). Bloody code monkeys, they think of everything. I'm going to create a code-monkey-puzzle-merkle-tree.

    That'll teach 'em!

  6. Zippy´s Sausage Factory

    It's not often a idea comes along like this that you think "that's just brilliant... I wish I'd thought of it."

    This is making me feel all warm and fuzzy inside...

  7. CrysTalK

    In *nix world there's pipes and scripts

    This rget tool sounds user friendly. But in *nix world you can just pipe or build a 4 line script to:

    download the file (wether binary or compressed) using the good old wget

    verify the private key (sig) of 'checkum file' with public key of author using OpenSSL

    verify the digest of the binary using the 'checksum file'

    Done.

    With rget there are new weaknesses created, as mentioned above. This tool rget is more convenient and user friendly but less secure, IMO.

    1. Claptrap314 Silver badge

      Re: In *nix world there's pipes and scripts

      It depends a bit on your threat model. It's easier to compromise one resource than two.

      Not read the file, but assuming they are using Merkle trees/blockchain, then this does provide a notable improvement in security for old releases.

      One would hope that they also provide a mechanism to mark a particular version as known vulnerable.

    2. jake Silver badge

      Re: In *nix world there's pipes and scripts

      "wether binary or compressed"

      You don't compress wether, you compress duck. Wether is best spit-roasted.

  8. jake Silver badge

    It's not like ...

    ... the tools for this haven't existed for decades. But thanks. I guess.

  9. macjules Silver badge
    Headmaster

    Being a nitpicking pedant (again) ...

    "Brandon Philips, a member of the technical staff at IBM"

    FTFY

    1. AdamWill

      Re: Being a nitpicking pedant (again) ...

      Not really. Red Hat still exists, it's just now owned by IBM as opposed to being owned by a bunch of shareholders. But it is (and will remain for the foreseeable future) a separate legal entity, and people who work for Red Hat are still employed by that legal entity, not by the legal entity called IBM.

      1. jake Silver badge

        Re: Being a nitpicking pedant (again) ...

        "people who work for Red Hat are still employed by that legal entity, not by the legal entity called IBM"

        They will be employed until IBM decides it needs to trim the workforce to cut costs. And as we all know, IBM has become very, very good at doing that of late.

  10. teknopaul Silver badge

    great idea

    This is agreat idea, because RPM is so complicated that quite often people dont bother.

    Software repos exist. But they all get sys specific kruft added till they are too complicated and people resort to wget.

    Rget is kinda cool. Wish it wasnt.

    You should be able make an rpm with something like

    mkrpm foo.rpm .

    1. sed gawk Bronze badge

      Re: great idea

      not quite mkrpm but FPM is fairly close, can pump out RPM, DEBS, SPECS, and others..

      no association just a user

      https://github.com/jordansissel/fpm

  11. Anonymous Coward
    Anonymous Coward

    good idea, really

    I wonder why the wget devs haven't put it in already.

    Every time I'm downloading a Linux ISO image, I'm checking the SHA sig. Would save me the hassle.

    1. jake Silver badge

      Re: good idea, really

      Because wget isn't "Linux", it's GNU. The design philosophy of *nix is "many tools, each of which do one thing right". Wrap whatever tools you like in a script, and Bob's your Auntie. (Actually, I question the "combine FTP and HTTP into one tool" reasoning behind wget ... but I'll be nice and not go there for the moment.)

      Just as a friendly reminder to the kiddies brought up on a GUI: if you have to type it once a month or more, script it (or make it an alias). Saves the heartache of typoes, if nothing else.

      For extra points, can you guess why I shy away from distros which think systemd is a good idea?

  12. Cederic Bronze badge

    no love for the subtitle?

    I only clicked on the article because I was giggling at Wget's, I've had a few..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019