Skip to content

Add checksum to ArtC's data.fileInformation objects #290

New issue
New issue
Closed
#320
Closed
Add checksum to ArtC's data.fileInformation objects#290
#320
Assignees
magnusbaeck
Labels
protocolAll protocol changes
Milestone
Edition Arica
@magnusbaeck

Description

@magnusbaeck
magnusbaeck
opened on Jan 4, 2022

Description

The objects in the data.fileInformation array of ArtC should have an optional checksum member so that consumers can verify the integrity of the artifact's files. Example:

{
  "meta": {
    "type": "EiffelArtifactCreatedEvent",
    ...
  },
  "data": {
    "fileInformation": [
      {
        "name": "image.bin",
        "integrity": {
          "checksum": "a480451897f590d3eb032c946de140b092dcda58356b5647bdeeee30f965769b",
          "alg": "SHA-256"
        }
      },
    ],
    ...
  },
  ...
}

It's tempting to align with meta.security.integrityProtection, but they're not quite the same as the latter signs the payload and references algorithms for signatures and HMACs but in this case we just want a plain checksum with no secret (neither shared key or public key).

Motivation

An artifact consumer can verify that the file they eventually download actually is the same file as the original and that no corruption or funny business has taken place.

Exemplification

See above.

Benefits

An opportunity to improve the integrity of the software supply chain by using Eiffel to verify the end-to-end integrity of artifacts produced in a pipeline. This can be used to detect honest mistakes, corruption, and malicious attacks on the artifact storage.

Possible Drawbacks

None.

Metadata

Metadata

Assignees

Labels

protocolAll protocol changes

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions