Skip to content

Validate downloaded Debian kernel package integrity before extraction #92

Description

@coderabbitai

Summary

The Debian kernel downloader currently fetches .deb packages from the Debian archive and extracts data.tar.* without validating the downloaded artifact's integrity first.

We should add integrity validation for downloaded kernel packages before extraction so the downloader can detect tampering, corruption, or unexpected content.

Why

The current implementation in sanitizer/hack/kernel/internal/debian/debian.go trusts the downloaded package body after the HTTP request succeeds. Adding verification would improve the security posture of the downloader and make failures explicit when the archive contents do not match trusted Debian metadata.

Affected area

  • sanitizer/hack/kernel/internal/debian/debian.go
  • Debian archive download and extraction flow used by Repository.FetchBundle

Proposed work

  • Determine the trusted source of package integrity metadata for Debian kernel packages.
  • Validate the downloaded kernel package against that metadata before extracting data.tar.*.
  • Prefer a verification mechanism based on Debian-provided metadata/signatures where feasible.
  • Return a clear error when validation fails.

Acceptance criteria

  • Downloaded Debian kernel packages are validated before extraction.
  • Validation failure stops processing and returns a descriptive error.
  • The implementation documents which metadata/signature source is trusted.
  • Tests cover at least the success path and a checksum/signature mismatch path.

Backlinks

Requested by: @afritzler

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions