8000 Use the official pub key to always verify binary by donatello · Pull Request #16857 · minio/minio · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Use the official pub key to always verify binary #16857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 20, 2023
Merged

Use the official pub key to always verify binary #16857

merged 1 commit into from
Mar 20, 2023

Conversation

donatello
Copy link
Member

Description

This ensures that the binary being upgraded to is verified by default, even if MINIO_UPDATE_MINISIGN_PUBKEY is unset. This ensures that a user of minio cannot trigger an upgrade to a binary controlled by them (RCE).

Motivation and Context

How to test this PR?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

@donatello
Use the official pub key to always verify binary
4d4cc50 
This ensures that the binary being upgraded to is verified by default,
even if MINIO_UPDATE_MINISIGN_PUBKEY is unset. This ensures that a user
of minio cannot trigger an upgrade to a binary controlled by them (RCE).
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-erasure.sh ✔️
mint-compress-encrypt-dist-erasure.sh ✔️
mint-pools.sh more...

16857-4d4cc50/mint-pools.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.6:31438
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp be6d4c9457fc:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 8 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 43 seconds
(4/14) Running aws-sdk-ruby tests ... done in 9 seconds
(5/14) Running awscli tests ... done in 1 minutes and 16 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 18 seconds
(8/14) Running minio-go tests ... done in 56 seconds
(9/14) Running minio-java tests ... done in 37 seconds
(10/14) Running minio-js tests ... done in 52 seconds
(11/14) Running minio-py tests ... FAILED in 2 minutes and 12 seconds
{
  "name": "minio-py:test_stat_object",
  "status": "FAIL",
  "args": {
    "bucket_name": "minio-py-test-12dd6e7d-cfab-460c-8525-9232fc0fa5c3",
    "object_name": "fd1b4eac-9e19-47c6-8e81-c28e06033a31-metadata",
    "length": 11534336,
    "data": "LimitedRandomReader(11 * MB)",
    "metadata": {
      "X-Amz-Meta-Testing": "value"
    },
    "content_type": "application/octet-stream"
  },
  "message": "('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))",
  "error": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/mint/run/core/minio-py/tests.py\", line 126, in _call_test\n    func(log_entry, *args, **kwargs)\n  File \"/mint/run/core/minio-py/tests.py\", line 820, in test_stat_object\n    _test_stat_object(log_entry, sse)\n  File \"/mint/run/core/minio-py/tests.py\", line 794, in _test_stat_object\n    result = _CLIENT.put_object(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1766, in put_object\n    raise exc\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1725, in put_object\n    upload_id = self._create_multipart_upload(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1565, in _create_multipart_upload\n    response = self._execute(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 403, in _execute\n    return self._url_open(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 266, in _url_open\n    response = self._http.urlopen(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py\", line 376, in urlopen\n    response = conn.urlopen(method, u.request_uri, **kw)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 787, in urlopen\n    retries = retries.increment(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py\", line 550, in increment\n    raise six.reraise(type(error), error, _stacktrace)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/packages/six.py\", line 769, in reraise\n    raise value.with_traceback(tb)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nurllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))\n",
  "duration": 114945
}
(11/14) Running s3cmd tests ... done in 18 seconds
(12/14) Running s3select tests ... done in 4 seconds
(13/14) Running versioning tests ... done in 4 minutes and 0 seconds

Executed 13 out of 14 tests successfully.

Deleting image on docker hub
Deleting image locally

@harshavardhana harshavardhana merged commit 05444a0 into minio:master Mar 20, 2023
@donatello donatello deleted the sec1 branch March 22, 2023 22:06
@bh4t bh4t added the bugfix label May 23, 2023
@djwfyi djwfyi mentioned this pull request Apr 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harshavardhana harshavardhana harshavardhana approved these changes

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@donatello @minio-trusted @harshavardhana @bh4t
0