Always verify the integrity of external dependencies, especially those downloaded from non-official or personal repositories. This helps prevent supply chain attacks where compromised packages could introduce security vulnerabilities.
Always verify the integrity of external dependencies, especially those downloaded from non-official or personal repositories. This helps prevent supply chain attacks where compromised packages could introduce security vulnerabilities.
When downloading external packages:
Example implementation:
# Download package
wget -c https://example.com/package.deb
# Define expected checksum
EXPECTED_SHA256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
# Verify checksum and abort on mismatch
echo "$EXPECTED_SHA256 package.deb" | sha256sum -c - || { echo "Checksum verification failed!"; exit 1; }
# Only proceed with installation if verification passed
sudo dpkg -i package.deb
For long-term solutions, work towards hosting critical dependencies in organization-controlled repositories with proper access controls and provenance tracking.
Enter the URL of a public GitHub repository