1

Does rust's cargo package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?

I see a lot of guides providing installation instructions with steps asking the user to install rust dependencies with cargo install .... I usually don't do this as I trust my OS package manager (ie apt) to actually validate the origin/trust and integrity of the package before installing it.

Does cargo provide cryptographic authentication and integrity checks for all items downloaded before installing them by default?

Note: Transport validation via X.509 does not count as a valid auth/integrity check.

Michael Altfield
  • 826
  • 4
  • 19
  • 2
    Why does transport security "not count"? –  Dec 14 '21 at 23:22
  • Would you mind editing the question to clarify what particular properties and guarantees you are looking for? – Whymarrh Dec 14 '21 at 23:42
  • X.509 is the issue. It doesn't count because there's too many historical examples where compromised CAs were in trusted root stores. See also https://security.stackexchange.com/questions/234052/where-can-i-find-a-list-of-all-government-agencies-with-cas-in-pki-root-stores – Michael Altfield Jan 08 '22 at 18:10
  • Another reason X.509 doesn't protect you, different risk: if the release "Publishing Infrastructure" itself is compromised. There's also lots of historical examples where this happened, and transport security can't protect you here. If you have cryptographically signed releases, then you don't have to trust your infrastructure. See this inexhaustive list of historical examples https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises – Michael Altfield Jan 08 '22 at 18:13

1 Answers1

2

Cargo verifies SHA-256 hashes of the objects it downloads. However, the manifests it downloads are not digitally signed, although they are downloaded over HTTPS.

If you are using a Cargo.lock file, these SHA-256 values are stored in that file (as the checksum field), so assuming that what the author had specified is correct, you can verify the integrity of the dependencies that way.

Note that this is true of many other languages as well, including Go.

If you'd prefer to specify your packages as Debian archives, you can do so with cargo2deb. Note that this will still need to download the source from crates.io.

bk2204
  • 7,828
  • 16
  • 15
  • So it sounds like the answer is "no". For clarity, can you please state this in your answer? – Michael Altfield Nov 14 '21 at 22:24
  • 1
    I think your definition and my definition of providing cryptographic integrity checks are different. If your question is whether they are digitally signed to a trusted root, then no. If your question is whether a party who receives a project (e.g., from a Git repository) can verify its integrity, then yes. I don't think I'd like to modify my answer to conform to your definition, so I'm not doing so. – bk2204 Nov 14 '21 at 22:43
  • secure, cryptographic integrity is distinct from integrity. The integrity checks you describe in your answer provide zero security. They only check for non-malicious corruption during download. – Michael Altfield Nov 14 '21 at 22:55
  • 1
    I'm certain I understand the concept of cryptographic integrity quite well and I stand by my answer. I don't think this comment thread is going in a productive direction, and I won't respond further here. – bk2204 Nov 14 '21 at 23:02
  • Sorry, you're right. What I meant was cryptographic authenticity*. The hash-based integrity check you describe in your answer provides zero security as they only check for integrity, not authenticity. – Michael Altfield Nov 30 '21 at 11:55
  • @MichaelAltfield I think you still need to edit your question to answer the comment from MechMK1 - Why do you believe that transport security "doesn't count?" – Xander Dec 15 '21 at 07:34