Skip to content

[DEVSVCS-5278] Harden cre update#510

Open
anirudhwarrier wants to merge 8 commits into
mainfrom
DEVSVCS-5278/harden-update
Open

[DEVSVCS-5278] Harden cre update#510
anirudhwarrier wants to merge 8 commits into
mainfrom
DEVSVCS-5278/harden-update

Conversation

@anirudhwarrier

@anirudhwarrier anirudhwarrier commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

DEVSVCS-5278

Summary

Hardens cre update by verifying release authenticity before replacing the running binary. Previously, the command downloaded a GitHub release archive, extracted it, and self-replaced with no signature check.

Verification is mandatory and fail-closed: any failure aborts before chmod / replaceSelf. There is no skip flag.

Platform verification

Platform Mechanism Trust anchor
Linux GPG detached signature on extracted binary Embedded install/public_key.asc via new install/keys.go; .sig downloaded from release
macOS codesign --verify --strict --identifier com.smartcontract.cre.cli OS codesign trust
Windows PowerShell Get-AuthenticodeSignature (Valid + SmartContract in subject) OS Authenticode trust

Update flow

fetch tag → download archive → extract binary → verify signature → chmod → replaceSelf

On Linux, the matching .sig asset (e.g. cre_linux_amd64.sig) is downloaded after extraction.

Other changes

  • Refactored getAssetName() to return archName for sig asset naming
  • Added platform-specific verify_*.go files with build tags
  • Unit tests for GPG verification (Linux), Run() integration via httpmock, and helper tests
  • Updated cre update command long help and docs/cre_update.md

…n in update process

- Updated getAssetName function to return architecture name along with asset and platform.
- Added signature download and verification for Linux before installing the binary.
- Updated documentation to reflect the new signature verification process for releases.
@anirudhwarrier anirudhwarrier force-pushed the DEVSVCS-5278/harden-update branch from 45dade9 to ab205cc Compare July 3, 2026 07:55
@anirudhwarrier anirudhwarrier changed the title [DEVSVCS-5278] Enhance asset name retrieval and signature verification in update process [DEVSVCS-5278] Harden cre update Jul 3, 2026
…ll package

- Removed embedded public key and replaced it with a reference to install.ReleasePublicKey.
- Added a test to ensure the embedded public key matches the public_key.asc file.
- Updated tests to reflect the changes in public key handling.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28647461840

Note: These are preview builds and are not signed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28647724460

Note: These are preview builds and are not signed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28650130105

Note: These are preview builds and are not signed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28650681099

Note: These are preview builds and are not signed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28651527407

Note: These are preview builds and are not signed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28653626223

Note: These are preview builds and are not signed.

@anirudhwarrier anirudhwarrier marked this pull request as ready for review July 3, 2026 10:55
@anirudhwarrier anirudhwarrier requested a review from a team as a code owner July 3, 2026 10:55
@anirudhwarrier anirudhwarrier requested a review from timothyF95 July 3, 2026 10:56
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🚀 Preview Build Artifacts

You can download the preview builds for this PR from the following URL:

https://github.com/smartcontractkit/cre-cli/actions/runs/28656004331

Note: These are preview builds and are not signed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant