Security of the CLI download step

[Erotemic]

In the CLI setup instructions: https://docs.rocketpool.net/guides/node/docker.html#downloading-the-rocket-pool-cli

It was the user to wget a url, give it execution permissions and run it.

The file downloaded is an 18MB binary that does who knows what. There doesn't seem to be a way that I can verify this binary corresponds to the code in: https://github.com/rocket-pool/smartnode

So the only encouragement that running this code is in any way trustworthy is that it in an https url.

There are several mitigations that could be done to increase the security posture of this critical step:

1. Sign the binaries (e.g. with gpg keys from trusted community members).
2. Release expected sha256 / sha512 hashes of the binaries so users can verify they have something expected.
3. Release the binaries on IPFS in addition to github
4. Add a section to the docs that provides instructions on how to build the CLI from source.

The first 3 options make a modified binary attack much harder. Signing the binaries gives as much confidence as the chain of trust provides, which can be a little or a lot. Publishing hashes makes it much easier to automate setting up nodes that pin to a specific version of the CLI. Publishing on IPFS has similar benefits to the hashes in addition to providing a distributed means of accessing the binaries rather than relying on a centralized github server.

The last option is the most impactful. Users can verify the code themselves and use the builtin security that comes with git to verify the code they are building is the code they expect to build.

[jclapis]

Hi! Thanks for your concerns here. Just so you're aware, the first point is already being done; the Smartnode is released on GitHub signed by a GPG key. For example, take a look at the release artifacts here:

https://github.com/rocket-pool/smartnode-install/releases/tag/v1.6.5

You'll see each file (including the install script, the CLI binaries, and the daemons) is accompanied by a GPG signature. The GPG public key itself is also included there. Users are free to verify that the binaries match what is signed by that key. That process should account for your second point as well, but if you'd like to see sha hashes of the files too, we can certainly provide those. I think it's fair that this process could be included in the documentation for people who don't know how to verify GPG signatures, so we'll work on that.

Regarding point 3, I think we could discuss putting the binaries up on IPFS as well. Let me talk about that with the team, because we'd likely need to use a pinning service for it.

For point 4, building from source would probably require its own section to cover things like setting up a Go environment, testing, comparing your version against the canonical version, etc. I think it makes sense to do, but maybe in the dev section of the docs instead of the user guides.

[Erotemic]

the first point is already being done

Excellent, thank you for the pointer. I'll take a look at using it and I may submit a PR that adds a little bit of text to the docs that point at it too.

Regarding point 3, I think we could discuss putting the binaries up on IPFS as well. Let me talk about that with the team, because we'd likely need to use a pinning service for it.

A pinning service probably is the best way to go. Not sure what your current server for publishing binaries looks like, but it might not be too hard to run an IPFS node on that as well. Not sure, thanks for considering it.

For point 4, building from source would probably require its own section to cover things like setting up a Go environment, testing, comparing your version against the canonical version, etc. I think it makes sense to do, but maybe in the dev section of the docs instead of the user guides

Yeah, I think just adding a quick link like: advanced: if you want to build from source see . Most people wont use it, but some will, and those people will be more likely to help make those build instructions even better.

[Erotemic]

I am working on making a small PR to add some text about GPG verification. For reference my process for choosing the arch looks like this:

    ARCH=$(uname -m)
    declare -A ARCH_LUT=(
        ["x86"]="amd64"
        ["x86_64"]="amd64"
        ["aarch64"]="arm64"
    )
    ARCH="${ARCH_LUT[${ARCH}]}"
    echo "ARCH = $ARCH"

    PREFIX=$HOME/.local
    mkdir -p "$PREFIX/bin"
    wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-"${ARCH}" -O ./rocketpool 
    wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-"${ARCH}".sig -O ./rocketpool.sig
    wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/smartnode-signing-key-v3.asc -O ./smartnode-signing-key-v3.asc

    # Sign key belongs to:
    # https://github.com/jclapis
    gpg --import ./smartnode-signing-key-v3.asc
    gpg --verify rocketpool.sig rocketpool
    mv ./rocketpool "$PREFIX/bin/rocketpool"

    chmod +x "$HOME"/.local/bin/rocketpool
    rocketpool --version