selfhosted
/
padloc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
padloc/docs/checksums/web/README.md

197 lines
7.5 KiB
Markdown
Raw Normal View History

Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
# Checksums (Web)
We use file checksums (SHA-256) to verify the source code you see matches the
code served by our app. These are instructions for you to verify that too, so
you don't have to trust us.
**NOTE:** These commands are meant for Linux and should also work on macOS. For
Windows systems, we suggest you run them via WSL2.
## Verify checksums against source code
1. Clone repo and install dependencies:
```bash
git clone git@github.com:padloc/padloc.git && \
cd padloc && \
Prepare CI and docs for branch rename And also remove `v4` reference.
2022-07-19 10:11:37 +00:00
git pull origin/main && \
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
npm install
```
Prepare CI and docs for branch rename And also remove `v4` reference.
2022-07-19 10:11:37 +00:00
2. Build code (replace `web.padloc.app` with whatever domain you're trying to
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
check, if not padloc's production):
```bash
Prepare CI and docs for branch rename And also remove `v4` reference.
2022-07-19 10:11:37 +00:00
PL_PWA_URL=https://web.padloc.app \
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
PL_SERVER_URL=$PL_PWA_URL/server/ \
npm run pwa:build
```
3. Download the latest `sha256sums-web.txt` checksum file:
```bash
cd packages/pwa/dist && \
wget https://github.com/padloc/padloc/releases/latest/download/sha256sums-web.txt
```
4. Verify checksums match:
```bash
sha256sum -c sha256sums-web.txt
```
You should see all filenames with an `OK` next to them for matching
checksums. You'll get a warning at the end of the script if something didn't
match.
Here's an illustrative example of success:
```txt
./main.js: OK
./9c5a939648cf4e10869c369c7262c0b2.woff2: OK
./0ce7bb41cbc2ad09a21b7b5222628111.svg: OK
./zxcvbn.chunk.js: OK
./manifest.623e2268f17398ec7f19225e281e4056.json: OK
./ua-parser.chunk.js: OK
./locale_res_wordlists_pt_json.chunk.js: OK
./locale_res_wordlists_en_json.chunk.js: OK
./sw.js.map: OK
./app_src_elements_app_ts.chunk.js.map: OK
./index.html: OK
./ua-parser.chunk.js.map: OK
./6d964ac2439b4e11afd25d1d47df88b6.woff2: OK
./56435da2448caaff95b05759954ec6ee.woff2: OK
./icon_192x192.8dfb7236c7e6b6591567173b18eaa144.png: OK
./vendors-app_node_modules_autosize_src_autosize_js-app_node_modules_dompurify_dist_purify_js-a-10f8da.chunk.js.map: OK
./app_src_elements_app_ts.chunk.js: OK
./sw.js: OK
./main.js.map: OK
./icon_384x384.971e45062e4d601a3014dc16ee3ed27b.png: OK
./locale_res_translations_fr_json.chunk.js: OK
./c94db5f3862667362c6815c9b1ec8acf.woff2: OK
./icon_256x256.9a47fba2857d94939047064f37cd075f.png: OK
./locale_res_translations_pl_json.chunk.js: OK
./locale_res_translations_es_json.chunk.js: OK
./locale_res_translations_de_json.chunk.js: OK
./zxcvbn.chunk.js.map: OK
./locale_res_translations_ru_json.chunk.js: OK
./papaparse.chunk.js.map: OK
./5d40dd64e2278fe436ba68ac7f1195a4.woff2: OK
./jsqr.chunk.js.map: OK
./1bbee3bd1bc00c4dce2a7c7046930ae6.woff2: OK
./app_src_lib_1pux-parser_ts.chunk.js.map: OK
./vendors-app_node_modules_date-fns_esm_sub_index_js.chunk.js: OK
./locale_res_wordlists_de_json.chunk.js: OK
./favicon.png: OK
./icon_128x128.f620784d1682c9fbb033d3b018e7d998.png: OK
./vendors-app_node_modules_autosize_src_autosize_js-app_node_modules_dompurify_dist_purify_js-a-10f8da.chunk.js: OK
./app_src_lib_1pux-parser_ts.chunk.js: OK
./papaparse.chunk.js: OK
./icon_512x512.e3175643e8fe0d95175a493da5201480.png: OK
./4a9ab29a10089191088de2b7c02c78e7.woff2: OK
./locale_res_wordlists_es_json.chunk.js: OK
./locale_res_translations__template_json.chunk.js: OK
./vendors-app_node_modules_date-fns_esm_sub_index_js.chunk.js.map: OK
./locale_res_wordlists_fr_json.chunk.js: OK
./icon_96x96.eda9f98be1c35dabab77f9d2ab7be538.png: OK
./5ce2631c76a09ec2ab1d619e3b1eda91.woff2: OK
./jsqr.chunk.js: OK
./b1fac335d3804d9dadf795e093048b40.woff2: OK
./03e3c10d4a52fe7b56918f851766d886.woff2: OK
./date-fns.chunk.js.map: OK
./date-fns.chunk.js: OK
```
And one with a tampered `main.js` file:
```txt
./main.js: FAILED
./9c5a939648cf4e10869c369c7262c0b2.woff2: OK
./0ce7bb41cbc2ad09a21b7b5222628111.svg: OK
./zxcvbn.chunk.js: OK
./manifest.623e2268f17398ec7f19225e281e4056.json: OK
./ua-parser.chunk.js: OK
./locale_res_wordlists_pt_json.chunk.js: OK
./locale_res_wordlists_en_json.chunk.js: OK
./sw.js.map: OK
./app_src_elements_app_ts.chunk.js.map: OK
./index.html: OK
./ua-parser.chunk.js.map: OK
./6d964ac2439b4e11afd25d1d47df88b6.woff2: OK
./56435da2448caaff95b05759954ec6ee.woff2: OK
./icon_192x192.8dfb7236c7e6b6591567173b18eaa144.png: OK
./vendors-app_node_modules_autosize_src_autosize_js-app_node_modules_dompurify_dist_purify_js-a-10f8da.chunk.js.map: OK
./app_src_elements_app_ts.chunk.js: OK
./sw.js: OK
./main.js.map: OK
./icon_384x384.971e45062e4d601a3014dc16ee3ed27b.png: OK
./locale_res_translations_fr_json.chunk.js: OK
./c94db5f3862667362c6815c9b1ec8acf.woff2: OK
./icon_256x256.9a47fba2857d94939047064f37cd075f.png: OK
./locale_res_translations_pl_json.chunk.js: OK
./locale_res_translations_es_json.chunk.js: OK
./locale_res_translations_de_json.chunk.js: OK
./zxcvbn.chunk.js.map: OK
./locale_res_translations_ru_json.chunk.js: OK
./papaparse.chunk.js.map: OK
./5d40dd64e2278fe436ba68ac7f1195a4.woff2: OK
./jsqr.chunk.js.map: OK
./1bbee3bd1bc00c4dce2a7c7046930ae6.woff2: OK
./app_src_lib_1pux-parser_ts.chunk.js.map: OK
./vendors-app_node_modules_date-fns_esm_sub_index_js.chunk.js: OK
./locale_res_wordlists_de_json.chunk.js: OK
./favicon.png: OK
./icon_128x128.f620784d1682c9fbb033d3b018e7d998.png: OK
./vendors-app_node_modules_autosize_src_autosize_js-app_node_modules_dompurify_dist_purify_js-a-10f8da.chunk.js: OK
./app_src_lib_1pux-parser_ts.chunk.js: OK
./papaparse.chunk.js: OK
./icon_512x512.e3175643e8fe0d95175a493da5201480.png: OK
./4a9ab29a10089191088de2b7c02c78e7.woff2: OK
./locale_res_wordlists_es_json.chunk.js: OK
./locale_res_translations__template_json.chunk.js: OK
./vendors-app_node_modules_date-fns_esm_sub_index_js.chunk.js.map: OK
./locale_res_wordlists_fr_json.chunk.js: OK
./icon_96x96.eda9f98be1c35dabab77f9d2ab7be538.png: OK
./5ce2631c76a09ec2ab1d619e3b1eda91.woff2: OK
./jsqr.chunk.js: OK
./b1fac335d3804d9dadf795e093048b40.woff2: OK
./03e3c10d4a52fe7b56918f851766d886.woff2: OK
./date-fns.chunk.js.map: OK
./date-fns.chunk.js: OK
sha256sum: WARNING: 1 computed checksum did NOT match
```
## Verify what you're using has the same source code
Prepare CI and docs for branch rename And also remove `v4` reference.
2022-07-19 10:11:37 +00:00
1. Download a website (replace `web.padloc.app` with whatever domain you're
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
trying to check), and all the relevant files:
```bash
Prepare CI and docs for branch rename And also remove `v4` reference.
2022-07-19 10:11:37 +00:00
HOST_TO_CHECK=web.padloc.app && \
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency.
2022-06-20 06:34:45 +00:00
wget -r -p -U Mozilla https://$HOST_TO_CHECK && \
cd $HOST_TO_CHECK && \
wget https://github.com/padloc/padloc/releases/latest/download/parse-csp.ts && \
deno run --allow-read=index.html --allow-net=$HOST_TO_CHECK --allow-write=. parse-csp.ts
```
The bash script above downloads a full website into a directory with its
hostname, then parses the `Content-Security-Policy` meta tag to get the list
of all the used/necessary files (using [`Deno`](https://deno.land), after
downloading the [`parse-csp.ts`](parse-csp.ts) file from this repo). This
will change with each build of Padloc, so the script needs to be dynamic.
2. Download the latest `sha256sums-web.txt` checksum file:
```bash
wget https://github.com/padloc/padloc/releases/latest/download/sha256sums-web.txt
```
3. Verify checksums match:
```bash
sha256sum -c sha256sums-web.txt
```
You can see step 4 from the `Verify checksums against source code` section
above, for expected outputs.