pySCG: New Python specific rule that promotes signed software, CWE-494: Download of Code Without Integrity Check #806
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
Supply chain attacks are the most efficient attack vector for malicious actors. We need a rule that outlines the issue, aka lack of software verification, and showcase how to at least verify already signed software.
CWE-494: Download of Code Without Integrity Check
Own signatures might require another rule to avoid overloading this one.
Python modules are frequently hosted on mirrors with unknown trust.
Python.org provides a solution via Sigstore since Python 3.10.7
Sigstore information
it is not very well know amongst coders.
Python allows to sign wheel files distribution format — Python Packaging User Guide
https://packaging.python.org/en/latest/specifications/binary-distribution-format/#binary-distribution-format
some text:
Allowing only signed code can prevent injection of malicious or untested code running on production servers. Integrity and authenticity must be verified prior to using code. Authorization must not be assumed but can be based on verifiable individual identities or attributes of signed software.
The text was updated successfully, but these errors were encountered: