Skip to content

rustup.sh and underlying binaries authentication #16442

Closed
@l0kod

Description

@l0kod

After the #16123, a second step should be to sign all files needed for the installation. Each Rust versions are signed in the git repository. Great! If the "rustup.sh" is included in the git repository, it will be possible to anyone to verify the script (from a git tag) before executing it.

Maybe all (including nightly) underlying binaries hashes should "inherit" from the signature like with the "snapshots.txt" hashes? The main Rust repository or a dedicated one could aggregate all hashes.

So, the guide could be improved by replacing the "curl" instruction with a "git clone + verify-tag". This add some extra MB to the download but worth it for more security to users who care.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-securityArea: Security (example: address space layout randomization).

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions