PlatformIO Community

Supply chain poisoning

There’s a lot of talk about supply chain poisoning from the security industry at the moment. What safeguards are in place to prevent this happening in PlatformIO. Does it use code signing to verify compilers and other tool-chain elements?

CC @ivankravets for this topic

1 Like

How do I CC him? I don’t see a button for that.

No, I’ve CC-ed him already by mentioning his @.

1 Like

PlatformIO Core uses a genuine PlatformIO Trusted Registry that helps to eliminate any security issues. Each package has its own SHA-256 checksum which will be verified on the client-side. Also, all traffic goes through HTTPS.

Thank you, that is very reassuring

I think this is still about the topic’s question… checksum does verify the package integrity, so this makes sure the server and the client have the same file. Is something like GPG signing in the plans, so the package origin is verified as well? Would it also makes sense to have an ability for the client ‘pin’ the hash of the package instead or in addition to the version spec?