Skip to content

feat: verify binary checksums before execution#797

Open
radkomih wants to merge 2 commits into
mainfrom
00340-verify-binary-checksums-before-execution
Open

feat: verify binary checksums before execution#797
radkomih wants to merge 2 commits into
mainfrom
00340-verify-binary-checksums-before-execution

Conversation

@radkomih

@radkomih radkomih commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

This pull request changes the following:

  • Adds software.VerifyExecutables(artifactName) — re-hashes installed binaries on disk against their catalog checksums right before execution, catching post-install tampering that install-time checks miss (pkg/software/exec_verifier.go).
  • Resolves checksums against the version recorded in on-disk state (via new state.ReadSoftwareVersionFromDisk), falling back to the catalog default, and skips with a warning when the installed version is no longer in the catalog.
  • Adds a reusable VerifyExecutablesStep inserted before SetupSystemdService for kubelet, cri-o, and teleport.
  • Adds inline verification before directly-exec'd binaries: cilium (install/rollback + acceleration migration), kubeadm/kubectl (InitializeCluster, ResetCluster best-effort), and teleport configure.
  • Extracts shared crioInstalledBinaryPaths helper + CrioArtifactName constant so Install and verification never drift.
  • Removes the obsolete CiliumHostLegacyRoutingMigration; pins arduino/setup-task back to v2.0.0 in CI.

Related Issues

@radkomih radkomih self-assigned this Jul 1, 2026
@radkomih radkomih requested a review from a team as a code owner July 1, 2026 12:03
@radkomih radkomih requested a review from crypto-pablo July 1, 2026 12:03
@swirlds-automation

swirlds-automation commented Jul 1, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@radkomih radkomih force-pushed the 00340-verify-binary-checksums-before-execution branch from 056d64b to ab1b743 Compare July 1, 2026 12:04
@brunodam brunodam requested a review from Copilot July 1, 2026 21:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a “time-of-use” executable integrity check that re-hashes installed sandbox binaries right before they’re executed (or before systemd service startup), closing the post-install tampering/TOCTOU gap that install-time verification can’t cover.

Changes:

  • Introduces software.VerifyExecutables(artifactName) (plus helpers) to verify on-disk binaries against catalog checksums, resolving expected checksums using the version recorded in on-disk state.
  • Wires reusable VerifyExecutablesStep into workflows before systemd starts for kubelet, cri-o, and teleport, and adds inline verification for directly executed binaries (kubeadm/kubectl/cilium/teleport configure, plus cilium acceleration migration).
  • Adds state-reader support to read recorded per-component software versions without loading full state, plus unit tests for the verifier and workflow-step behavior.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/software/teleport_node_agent_installer.go Adds pre-exec verification before running teleport configure.
pkg/software/teleport_node_agent_installer_test.go Tests that configure aborts when verification fails.
pkg/software/exec_verifier.go Implements catalog/state-aware pre-exec checksum verification and sandbox path resolution.
pkg/software/exec_verifier_test.go Unit tests for verifier core logic and path mapping.
pkg/software/crio_installer.go Extracts CrioArtifactName and shared CRI-O binary path mapping helper.
internal/workflows/steps/step_verify_executables.go Adds reusable workflow step to verify binaries before service start.
internal/workflows/steps/step_verify_executables_test.go Tests success/failure behavior of the new verification step.
internal/workflows/steps/step_teleport.go Inserts verification step before starting teleport systemd service.
internal/workflows/steps/step_kubeadm.go Adds inline verification before invoking kubectl/kubeadm (incl. rollback) and best-effort reset.
internal/workflows/steps/step_kubeadm_test.go Pins expected behavior when kubeadm/kubectl verification fails.
internal/workflows/steps/step_cilium.go Adds inline verification before invoking cilium (install + rollback).
internal/workflows/steps/step_cilium_test.go Pins expected behavior when cilium verification fails.
internal/workflows/migration_cilium_acceleration.go Adds checksum verification before executing cilium upgrade during migration.
internal/workflows/migration_cilium_acceleration_test.go Tests that migration aborts before upgrade when verification fails.
internal/workflows/cluster.go Inserts verification step before kubelet/cri-o systemd service setup.
internal/state/state_reader.go Adds ReadSoftwareVersionFromDisk and YAML shape for extracting per-component versions.
internal/state/state_reader_test.go Tests version extraction via key/name matching logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/software/exec_verifier_test.go
@radkomih radkomih force-pushed the 00340-verify-binary-checksums-before-execution branch from ab1b743 to 4203872 Compare July 2, 2026 10:17
radkomih added 2 commits July 2, 2026 13:17
Signed-off-by: Rado M <radkomih@gmail.com>
Signed-off-by: Rado M <radkomih@gmail.com>
@radkomih radkomih force-pushed the 00340-verify-binary-checksums-before-execution branch from 4203872 to e65e335 Compare July 2, 2026 10:17

@alex-au alex-au left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, some nitpicks in the comment. Can I also confirm if the "obsolete CiliumHostLegacyRoutingMigration" has been removed as stated in the PR description?

Msg("Applying cilium-config (loadBalancer.acceleration=disabled) to existing cluster via 'cilium upgrade'")

// Verify the cilium binary before executing it.
if err := verifyCiliumExecutable(); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, should we do the same before L124 in migration_cilium_host_legacy_routing.go?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(software): verify sandbox binary checksums before execution to close TOCTOU gap

4 participants