Lack of image download integrity checking


#1
  • the download pages for HiKey 970 images, http://www.lemaker.org/product-hikey970-resource.html and pages linked from it, are only available as clear-binary HTTP and contain only HTTP links for downloading images. Browsers such as Chrome rightfully complain about the insecurity of such an approach. Here, privacy isn’t as much of a problem as download tampering (potential malware injection by replacing the RAR file at some point in the chain);
  • the download mirror server actually supports HTTPS, e.g. https://mirror.lemaker.org/Hikey%20970%20Lebian.rar , but the certificate it presents to clients does not match the domain name. Also, I saw no SHA256 and SHA512 hashes or links to SHA256SUM and SHA512SUM files, let alone GPG signatures for the image binaries. These should be transmitted to clients through HTTPS as well.

Please make supply chain attacks harder by implementing these basic security measures used by most Linux distros :slight_smile:
Thanks in advance.


#2

Hi Lionel

The server used for most 96Boards software (https://releases.linaro.org )
meets some of these requirements but some vendors (including Lemaker)
choose to make additional software available via their own servers and
we do not have control of these.

I did forward this message to support@lemaker.org as a courtesy but
that’s probably all I can do to help here.

Daniel.


#3

Thanks for forwarding the message :slight_smile:
From other topics, I seemed to understand that people from Lemaker read this board, so I hoped that they’d read the message - but what you did is much better.

Technically, Linaro could re-host software from other vendors and make it possible to download more securely, but I’m aware that keeping up with external releases controlled by another vendor is work.