The IPFS protocol and its implementations are still in heavy development. This means that there may be problems in our protocols, or there may be mistakes in our implementations. And — though IPFS is not production-ready yet — many people are already running nodes on their machines, so we take security vulnerabilities very seriously.
If you discover a security issue in ipfs-companion, please bring it to our attention right away!
If you find a vulnerability that may affect live deployments — for example, by exposing a remote execution exploit — please send your report privately to security@ipfs.io Please do not file a public issue.
If the issue is a protocol weakness that cannot be immediately exploited, or something not yet deployed, just discuss it openly.
Security-conscious users can confirm that downloaded package does match source code.
Required steps:
- Download package version that is to be verified
- Check out sources of the same tag
- Build package from sources using
yarn dev-buildcommand.
As a result, you will have freshly built packages inbuild/directory - Unzip contents and compare manually or use handy one-liners below.
Convention used in examples below:
ipfs-firefox-addon1.xpiandipfs-firefox-addon2.xpiare equal and match Git sourcesipfs-firefox-addon3.xpicontains changes not present in current sources
Note that XPIs are unzipped before being piped to sha256sum:
$ diff -q <(unzip -p ipfs-firefox-addon1.xpi|sha256sum|cut -f1 -d' ') <(unzip -p ipfs-firefox-addon3.xpi|sha256sum|cut -f1 -d' ') && echo same || echo not_sameSample output for files with matching contents:
$ diff <(unzip -v -l ipfs-firefox-addon1.xpi | cut -c 1-9,59-,49-57 | sort -k3) <(unzip -v -l ipfs-firefox-addon2.xpi | cut -c 1-9,59-,49-57 | sort -k3) && echo same || echo not_same
same
Sample output for files with different contents:
$ diff -q <(unzip -p ipfs-firefox-addon1.xpi|sha256sum|cut -f1 -d' ') <(unzip -p ipfs-firefox-addon3.xpi|sha256sum|cut -f1 -d' ') && echo same || echo not_same
Files /proc/self/fd/11 and /proc/self/fd/12 differ
not_sameIt is possible to list package contents with CRC-32 checksums provided by ZIP container:
$ unzip -v -l ipfs-firefox-addon1.xpi | cut -c 1-9,59-,49-57 | sort -k3To compare two packages in one command:
$ diff <(unzip -v -l ipfs-firefox-addon1.xpi | cut -c 1-9,59-,49-57 | sort -k3) <(unzip -v -l ipfs-firefox-addon3.xpi | cut -c 1-9,59-,49-57 | sort -k3) && echo same || echo not_sameSample output for two different versions of XPI:
$ diff <(unzip -v -l ipfs-firefox-addon1.xpi | cut -c 1-9,59-,49-57 | sort -k3) <(unzip -v -l ipfs-firefox-addon3.xpi | cut -c 1-9,59-,49-57 | sort -k3) && echo same || echo not_same
5,7c5,7
< 174 d991ba90 defaults/preferences/prefs.js
< 37615 30 files
< 2270 06d511c2 harness-options.json
---
> 225 5b287a38 defaults/preferences/prefs.js
> 38998 30 files
> 2315 6291e716 harness-options.json
13c13
< 385 c2c13711 options.xul
---
> 513 4f3e0732 options.xul
33,34c33,34
< 6376 45297f28 resources/ipfs-firefox-addon/lib/index.js
< 966 e48f0540 resources/ipfs-firefox-addon/lib/package.json
---
> 7517 7565d9af resources/ipfs-firefox-addon/lib/index.js
> 984 83079aef resources/ipfs-firefox-addon/lib/package.json
not_same