2

I have a .net core 5.0 solution. I would like to ensure that the files were not modified between the source code check out and a compilation step on a build machine. I don't want to re-invent a wheel but couldn't find an existing solution. There's a suggestion to use sha256 here (see the last two paragraphs). I thought of something like this:

MSBuild compilation task
   Compiling solution
      Generating source code sha256 signatures

# The output may look like this

sources.sha256
/src/app1/foo.cs sha1
/src/app2/bar.cs sha1

I could then run a final sha1 on the sources.sha256. Lastly and quite importantly, I can repeat the same process on different independently-maintained machines, to ensure the same output and make supply chain attack more difficult to execute.

I've looked into checksumalgorithm compiler option, but not sure I can use it, as it would embed sha256 into a PDB file, and I am unsure if a generated PDB file will be identical between the build which will happen on different machines and platforms.

What's the best way to run source code integrity check during a build of C# .net core solution?

oleksii
  • 35,458
  • 16
  • 93
  • 163
  • I am trying to understand the threat model here. You are worried that something (in the compiler?) will modify the source files before compiling them? Aren't most supply-chain attacks basically modifying the source code in the source repository or modfying the sources during the build? – omajid Feb 26 '21 at 17:15
  • 2
    @omajid this is related to [Solorigate](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) (TLDR; search for `build`). Presumably state-sponsored, highly sophisticated attackers modified source code after the checkout, but before compile stage, and reverted the changes after the compile stage. The attackers probably limited this to very few Release builds, and made the attack extremely hard to detect. Does this make sense? – oleksii Feb 26 '21 at 17:34
  • Thanks! That's very useful! – omajid Feb 26 '21 at 17:36

0 Answers0