Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: refuse to download unverified downloads #548

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Aug 19, 2024

For the most common use case where a Corepack user interacts with an already-setup-for-Corepack project, this PR doesn't change anything, the project would have a "packageManager" field that includes a hash to validate the download.

However, for cases when there are no hash defined there or in the CLI command (corepack [email protected]/corepack up/corepack use [email protected]), we need another way to validate the download. For downloads from the npm registry, we verify using the ECDSA signature provided in the package metadata. For package manager that are not downloaded from the npm registry (i.e. Yarn Berry), the download is only protected by TLS, which is pretty good, but not as good.

This change is going to be disruptive to Yarn Berry users. I think the Yarn team can mitigate by either:

  • switch to download newer versions of Yarn from the npm registry (we cannot change earlier versions without invalidating everyone's hash).
  • send a change for Corepack to validate the download using the npm integrity when no hash is provided.
  • provide signatures for Yarn releases in the Yarn registry.

Fixes: #495

@aduh95 aduh95 requested review from mcollina and arcanis August 19, 2024 09:23
@arcanis
Copy link
Contributor

arcanis commented Aug 19, 2024

switch to download newer versions of Yarn from the npm registry (we cannot change earlier versions without invalidating everyone's hash).

We're unlikely to do that, as we want our official binaries to be downloaded from our official website.

sources/corepackUtils.ts Outdated Show resolved Hide resolved
Copy link
Contributor

@arcanis arcanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marking request changes just to be sure this doesn't land before we implement signing in Yarn (which is in our plans, but I'm in paternity leave at the moment).

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina
Copy link
Member

@arcanis I'm glad to hear that signatures are planned for yarn. what's your timeline to add said support? September/October?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

downloads package managers only from npm by default
4 participants