Skip to content
/ getsum Public

Abuse the gosum database to store verifiable hashes about any binary file

License

Apache-2.0 license
7 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mkmik/getsum

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

893 Commits
.github
.github
 
 
cmd/getsumweb
cmd/getsumweb
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.kodiak.toml
.kodiak.toml
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Public Artifact Checksums Witness

This server observes and records checksums of publicly downloadable artifacts. It offers verifiable proof that the claimed observations are immutable, i.e. this server cannot serve a different claim in the future.

It can be used to detect URLs whose content breaks immutability guarantees (e.g. usually versioned software releases).

Install

$ GO111MODULE=on go get getsum.pub/getsum@latest

Usage

$ getsum https://some.com/url/to/a/file

getsum returns the hash of a file. The hash is fetched by getsum.pub by reading https://some.com/url/to/a/file.sha256 and falling back to https://some.com/url/to/a/SHA256SUMS (we'll add more ways to seeding the hash; although we're likeley keep avoiding downloading large files from the internet)

However, getsum.pub doesn't directly serve the hash to the getsum.pub client. Instead it generates a fake Go module getsum.pub/https/some.com/ovzgy/orxq/me/mzuwyzi (all path components are base32-encoded to ensure any URL is a valid Go import path) which contains the original URL and the sha256 checksum of it.

The getsum client then fetches this module using the https://proxy.golang.org and verifies the checksum using https://sum.golang.org. (read more about it here)

Thus we leverage an existing large scale transparent log to ensure that files are indeed immutable the original publisher of that URL never changes the file (and the published .sha file).

Verify

getsum doesn't download the file, you need to use a tool like curl or wget, but it can verify whether the file you just downloaded matches the published hash and that the hash hasn't been modified.

$ wget https://some.com/url/to/a/file \
  && getsum -c file https://some.com/url/to/a/file \
  && echo "good file, continue"

About

Abuse the gosum database to store verifiable hashes about any binary file

Topics

go security hack transparency

Resources

Readme

License

Apache-2.0 license
Activity

Stars

7 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Jul 27, 2020

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages