fix: exclude task-signing-tool folder from tarball, not signer-tool#174
Open
memosr wants to merge 1 commit into
Open
fix: exclude task-signing-tool folder from tarball, not signer-tool#174memosr wants to merge 1 commit into
memosr wants to merge 1 commit into
Conversation
The excludedFolders array in src/lib/task-origin-validate.ts:38 listed "signer-tool", but the README at line 39 instructs users to clone this repo as task-signing-tool/ — which is also the actual GitHub repo name. If the signing tool is installed as a subdirectory of a task folder (via git submodule, nested install, or just convenience), the current exclusion does not match its directory name. The tarball generator then includes the entire tool source in the tarball, changing the hash deterministically computed from the task files alone. Signers comparing hashes between machines or against a published expected hash see a mismatch. The error surfaces as "validation failed" with no indication that the cause is tarball content drift from an incorrectly named exclusion. Updated the exclusion to match the documented and actual repo name.
Collaborator
🟡 Heimdall Review Status
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The tarball exclusion list in
task-origin-validate.tsreferencedsigner-tool, but the documented and actual repo directory name istask-signing-tool. When the tool ends up nested under a task folder, the wrong exclusion name silently changes tarball hashes.The bug
src/lib/task-origin-validate.ts:38 — current exclusion list:
README.md:39 — clone instructions:
The actual GitHub repo name is
task-signing-tool(this repo).There is no
signer-tooldirectory anywhere in the documented workflow.When it breaks
If the signing tool lives as a subdirectory inside a task folder — e.g.:
…then its source files get included in the tarball that the validator hashes. The hash is computed deterministically from the task files; including the tool itself makes the hash depend on the tool version too.
The result: signers running the same task on different machines get different hashes, the validation step fails, and the error message just says "validation failed" with no hint that the tarball content drifted.
The fix
Single string change. Added an inline comment explaining the why, so future maintainers don't "fix" it back to
signer-tool.Verification
src/lib/task-origin-validate.tscacheandout(the existing valid exclusions) untouched