Need to automatically and securely verify a download is legit? You bet rget this new tool

Brandon Philips, a member of the technical staff at Red Hat, has created a software tool called rget for Linux, macOS, and Windows, to make it easier to determine whether downloaded files can be trusted.

The command-line application is intended as an alternative to wget, a widely used tool for fetching files that has been around for more than two decades. In a phone interview with The Register on Monday, Philips said he hopes that rget sees enough adoption that its functionality gets incorporated into wget and other software distribution mechanisms like Docker and npm.

The advantage of rget over wget is that the former provides a way to automatically and securely verify the integrity of downloaded files so that users can be confident that stuff they've just fetched has not been tampered with since its publication on the internet.

Specifically, rget can fetch a file from a given URL, and check a SHA-256 hash of that file's contents against the official hash entry for that URL in a public cryptographic log. If the hash of the downloaded file does not match the expected hash in the log, that indicates the download has been altered by someone in an unauthorized way, and an alarm is raised.

When someone publishes a file on the internet that they wish to be verified by rget, they have to add the file's hash and URL to the public log so that, in future, rget can verify the legitimacy of downloaded copies of said file from the given URL.

Many developers are familiar with SHA-256 hashes, those lengthy alphanumeric strings that are often listed alongside download links on web pages but may not be replicated elsewhere. It's this lack of an authoritative public record of digests that rget aims to address. The rget tool therefore automates the process of publishing files and distributing the cryptographic digest to multiple parties, which makes it easy to assess file integrity and to build tools that automate alerts about unauthorized file changes.

Running rget might look something like this:

rget https://github.com/philips/releases-test/archive/v1.0.zip

Releasing software using rget would involve two commands:

rget github publish-release-sums https://github.com/merklecounty/rget/releases/tag/v0.0.6

rget submit https://github.com/merklecounty/rget/releases/download/v0.0.6/SHA256SUMS

One of the problems with hacked libraries is that it may take time for word to reach affected individuals. With rget, the hope is to normalize the publication of cryptographic digests with every set of published files and to provide a distributed record of digests for automatic auditing.

The project arose from work Philips and others did on etcd, a distributed reliable key-value store often used with Kubernetes and other applications. Initially, Philips explained, doing cryptographic signatures for etcd releases was easy because all the contributors were in-house at CoreOS (later acquired by RedHat, which in turn got acquired by IBM).

But as more people began working on that project, the etcd team had to confront the difficulty of managing cryptographic keys across a geographically distributed group of people.

"We didn't have a good solution and turns out no project has a good solution to that," said Philips. "At the end of it, I started to look at other solutions because key custody is difficult."

With services like GitHub, NPM and elsewhere, said Philips, software is secured using usernames and passwords. But in recent years, the shortcomings of this approach have become apparent.

For example, in 2016, Linux Mint 17.3 Cinnamon edition was compromised with a backdoor. More recently, malicious code was found in the PureScript installer distributed through npm. And there have been other attacks on developer-oriented resources because such software often gets used widely enough to make it attractive to miscreants.

Philips said the security community is concerned about this because there may be hundreds of thousands of people or more relying code kept safe only with a password.

Certificate Authorities have tried to make online certificates more trustworthy through the Certificate Transparency project, which provides a way to audit the issuance and maintenance of TLS/SSL certificates.

"Mozilla had created a design document for auditing software releases based on the Certificate Transparency project," Philips said. "No one had implemented it so I went off and did it."

The software is currently in alpha stage but Philips said he hopes to see 20 or so large GitHub projects testing rget by the end of the year.

"It would be awesome if Kubernetes, before it runs a container, checked the container digest," he said. ®