Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endo archive hashing #794

Closed
kriskowal opened this issue Jun 22, 2021 · 2 comments · Fixed by #799
Closed

Endo archive hashing #794

kriskowal opened this issue Jun 22, 2021 · 2 comments · Fixed by #799
Assignees
@kriskowal

Comments

@kriskowal
Copy link
Member

Per a design suggested by @warner, Endo archives need a consistent hash. The consistency needs to remain consistent when the working set of files are consistent, and should not need to be consistent across changes to the vagaries of the storage medium, including the vagaries of Zip files.

To that end, the consistent hash of an archived entry-point is the SHA-512 of its manifest (it’s compartment-map.json). For this to work, the compartment-map.json must also contain the SHA-512 of every module that participates in the archive.

To be sure of the integrity of an archive, it should suffice to take the SHA-512 of the compartment-map.json within its Zip file, compare that to a known hash of an inspected contract, and for the Compartment Mapper to verify the hashes in a compartment-map.json match the modules it loads at runtime. For a more rigorous static analysis, a Zip file can be verified by inspecting all of the hashes.

I propose:

  • adding an @endo/compartment-mapper/hash-archive.js entry module exporting a hashArchive function that returns the hash of the compartment-map.json in a Zip archive
  • adding an @endo/compartment-mapper/hash.js entry module exporting a hashLocation function that returns the hash of the compartment-map.json at a file URL.
  • adding an npm installable enhash tool that drives either of the above hash functions.
  • adding an optional sha512 read power to makeArchive and writeArchive that captures the SHA-512 of every module in a generated compartment-map.json.
  • adding an optional sha512 read power to parseArchive, loadArchive, importArchive that it will use to validate the consistency of the hashes in compartment-map.json. When providing a sha512, the compartment mapper will reject any archive that was generated without a sha512.
@kriskowal kriskowal self-assigned this Jun 22, 2021
@kriskowal
Copy link
Member Author

This is the blocker du jour for switching the contract bundle format to Zip files by default Agoric/agoric-sdk#3273 There is a Zoë test that currently verifies source directly that would need to instead properly verify the contract hash.

@kriskowal kriskowal mentioned this issue Jun 26, 2021
Merged
@kriskowal
Copy link
Member Author

The implementation in #799 drifted in small ways from the intended design. Functions like hashLocation was more convenient to implement from within the implementation of archive.js so it’s exported from there. It’s internal logic is a refactor of the substance of archive creation since it does all the same work except for packing up the zip archive.

This was referenced Jun 26, 2021
Open
Merged
@kriskowal kriskowal mentioned this issue Sep 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kriskowal kriskowal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(compartment-mapper): Consistent hashing endojs/endo
1 participant
@kriskowal