https://pulumi.com logo
#general
Title
# general
d

delightful-monkey-90700

03/03/2023, 5:25 PM
Is anyone using Pulumi within a PCI-DSS environment given that it downloads and runs code from the Internet without any integrity checking ? Right now, I manually verify that the checksums of the downloaded plugins match, but that requires downloading a file which contains the checksums -- but there's no way to verify the integrity of that file (i.e., it's not signed or anything).
o

orange-policeman-59119

03/03/2023, 7:55 PM
We use sigstore to sign the archives we publish on github.com/pulumi/pulumi/releases
We're considering how to apply this to the broader set of providers and other runtime dependencies
d

delightful-monkey-90700

03/03/2023, 7:57 PM
Since that's not done, there's no automated integrity checking for the code that is downloaded -- that means manual integrity checking is the only option (with respect to PCI-DSS), but there's no way to anchor the trust in the checksums files to anything so it's a pointless check that doesn't accomplish the goal.
o

orange-policeman-59119

03/03/2023, 7:59 PM
The signatures on pulumi/pulumi are signed to the sigstore root authority and can be verified via
cosign
. To your point, we have a ways to go to enable runtime checks.
We do have customers in regulated industries who are implementing controls to satisfy their compliance needs.
d

delightful-monkey-90700

03/03/2023, 8:00 PM
It's not very meaningful with respect to my question to state that Pulumi the binary has a signature, the question is about the executables that are download and run without any integrity checking.
curl
is also signed, but if I download random code and run it, that code has not been verified.
Perfect ! Any idea how are they checking the integrity of the things Pulumi downloads and runs ?
o

orange-policeman-59119

03/03/2023, 9:58 PM
I'm not sure, there's often room in compliance regimes to replace automated controls with human ones, attestations, or relying e.g. on the security of the third parties. I don't believe any compliance regimes require all binaries to be signed, though the President's EO on supply chain security and recent announcements are on my mind.
d

delightful-monkey-90700

03/03/2023, 10:00 PM
PCI-DSS requires that code being executed has integrity verified -- signatures are a way to accomplish this by trusting a private key is protected, which can be done one time -- versus unsigned checksums which must be manually verified (I guess by sending you an email?) every time
o

orange-policeman-59119

03/03/2023, 10:02 PM
Integrity verification can mean many things, e.g.: that the download was what our system transmitted. That can be asserted by using TLS, which we utilize.
I'm afraid I can't say much more except I do know that we serve customers in financial, health, and other regulated industries and we meet some controls ourselves. If you have a specific ask, sales might be able to assist in how to meet your compliance needs or prioritize engineering. My team is working on improving distribution and verification, but we don't have a timeline right now.
d

delightful-monkey-90700

03/03/2023, 10:07 PM
That's certainly not verifying the integrity of the resource, it's verifying the integrity of the channel and hoping for the best for the resource. FWIW, when I did this with Go previously I just use a simple PKCS#1 v1.5 signature with an HSM holding the private key.
o

orange-policeman-59119

03/03/2023, 10:08 PM
As an open source project with many teams within and without Pulumi producing providers, we have - I hope you consider this reasonable - not opted to enforce code signing on every OSS provider binary.
Akin to ongoing conversations in the security space (see: Secure Boot signing keys), OSS and roots of trust are hard to combine.
e

echoing-dinner-19531

03/04/2023, 9:56 PM
We do plan on verifying plugins with checksums. Assuming you trust the package manager that delivers the pulumi SDKs (npm/nuget/etc) that code will contain the checksums it expects for the plugin binaries it will run against. Given that if your in this sort of environment you should have already solved the "how do we trust and verify the package manager" problem, we can just piggy back off that.
Further as Friel mentioned we might be able to add signature checks for core pulumi plugins as well (we obviously can't enforce this on all third-party providers, and we'd just end up with a key distribution problem if we did) Between both of those would that cover all your concerns re integrity?
p

purple-coat-73595

03/06/2023, 8:20 AM
I think Terraform is verifying every binary it downloads. If you want to publish anything to their registry, it must be signed and the signature is verified during
terraform init
(https://developer.hashicorp.com/terraform/registry/providers/publishing). Maybe Pulumi can do something similar?
There is even an issue in Pulumi's github: https://github.com/pulumi/pulumi/issues/9483 that I think is related to this topic.
d

delightful-monkey-90700

03/06/2023, 5:48 PM
Yeah, I created that issue almost a year ago 😕
e

echoing-dinner-19531

03/06/2023, 6:04 PM
There has been some progress on that in the background, it's just one of those things where its not really useful to users until all the work on it is done.