[BUG] buildman does not check signature of toolchain
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Wed Oct 27 16:22:59 CEST 2021
On 10/27/21 16:05, Simon Glass wrote:
> Hi Heinrich,
>
> On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
> <heinrich.schuchardt at canonical.com> wrote:
>>
>> Downloading binaries and executing without checking the authenticity is
>> at least unwise.
>>
>> When binman downloads GCC it should also download and verify the GPG
>> signatures.
>>
>> Additionally binman could hold a list of the SHA256 hashes of all
>> binaries in question for a further check.
>
> Buildman? Yes that sounds like a nice feature. Did you hit a problem,
> or just come up with this idea? You could try the new issue tracker!
tools/buildman/toolchain.py
I have seen this script downloading binaries and executing them on my
machine without verification. This makes me feel insecure.
test/run invokes buildman.
The same is true for tools/docker/Dockerfile. As Docker does not use its
own kernel you should avoid running untrusted binaries in a container.
Best regards
Heinrich
More information about the U-Boot
mailing list