Giters

slackhq / nebula

A scalable overlay networking tool with a focus on performance, simplicity and security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

🐛 FEATURE REQUEST: Distribute Nebula binaries more securely

exercismnow opened this issue · comments

commented

What version of nebula are you using?

v1.8.2

What operating system are you using?

Linux

Describe the Bug

Thank you very much for developing Nebula! This seems like the ZeroTier alternative the world truly needs.

The docs currently recommend to download Nebula binaries from the Github releases page.

This might expose users to malware in the future, in case a hacker is able to publish compromised binaries to this Github project.

To give users some protection, please consider distributing Nebula through some or all of these methods, while continuing to release binaries on Github:

  • Sign binaries with pgp, and distribute your public key on various keyservers (e.g. keyserver.ubuntu.com, pgp.mit.edu or keyserver.pgp.com).
  • Notify users of updates by distributing Desktop (Linux, Windows, Mac) binaries through repositories, or an official Flatpak. I'm not sure how exactly this would be done (not a technical expert). But if you could run nebula through commands obtained via a package manager, and then just download the configuration file from Github, that seems like a security improvement.

Logs from affected hosts

No response

Config files from affected hosts

No response

commented

Hi @exercismnow -

Thanks for the feedback. All builds produced on our Releases page are generated via a Github Actions workflow. In order to sign them during the build process (to ensure that there was no post-build tampering prior to the signature) we would need to provide Github with a private PGP key - this means that if our Github repository is compromised, any builds created from it would inherently be signed by this PGP key. Therefore, I don't think that adding a PGP signature to the release process meaningfully improves user security.

However, from a given release page you will be able to see the tag it was created from. Typically @wadey creates these tags and he signs the tags before pushing them up using a local PGP private key. For example...

Screenshot 2024-01-22 at 2 15 25 PM

You can find recent workflow runs to verify that they were run against the signed tag: https://github.com/slackhq/nebula/actions/workflows/release.yml

Regarding your other suggestion:

Notify users of updates by distributing Desktop (Linux, Windows, Mac) binaries through repositories, or an official Flatpak. I'm not sure how exactly this would be done (not a technical expert). But if you could run nebula through commands obtained via a package manager, and then just download the configuration file from Github, that seems like a security improvement.

In general, we expect distributions to package Nebula themselves. Those distro maintainers will typically sign their packages and make their public keys available, usually as part of the package management tooling. For example, nebula package for Arch Linux and nebula package for Debian.

I hope this helps!