Add skill code signing verification check (CHK-SUP-010..012) #16
Description
Summary
The forensic analysis repeatedly calls for mandatory code signing as the primary defense against supply chain attacks. The ClawHub Compromise incident showed that even trusted maintainer accounts can be hijacked, and the only reliable defense is cryptographic verification of skill integrity.
Currently, scan_supply_chain.sh checks for known malicious packages and unverified GitHub sources, but does not verify cryptographic signatures or content hashes of installed skills.
The Problem
Normal Install Flow (current -- NO verification):
ClawHub Registry User Machine
+--------------+ +--------------+
| skill v1.0 | inst | skill v1.0 |
| (legit) | ------> | (trusted?) | No way to verify!
+--------------+ +--------------+
Attack Flow (ClawHub Compromise):
ClawHub Registry User Machine
+--------------+ +--------------+
| skill v1.0 | inst | skill v1.0 |
| (backdoor) | ------> | (backdoor) | Same result!
+--------------+ +--------------+
With Code Signing (proposed):
ClawHub Registry User Machine
+--------------+ +----------------+
| skill v1.0 | inst | Verify: |
| + sig.asc | ------> | hash match? | --> YES = install
| (backdoor) | | sig valid? | --> NO = REJECT
+--------------+ +----------------+
Proposed Checks
CHK-SUP-010: Skill has no code signature (WARN)
Check if installed skills have a signature file:
check_skill_signatures() {
log_info "CHK-SUP-010: Checking for skill code signatures..."
local unsigned_count=0
for skill_dir in "$SKILLS_DIR"/*/; do
[[ -d "$skill_dir" ]] || continue
local skill_name
skill_name="$(basename "$skill_dir")"
local has_signature=false
for sig_file in "$skill_dir"/.signature \
"$skill_dir"/SIGNATURE.asc \
"$skill_dir"/.clawhub-signature \
"$skill_dir"/checksums.sha256; do
if [[ -f "$sig_file" ]]; then
has_signature=true
break
fi
done
if ! $has_signature; then
unsigned_count=$((unsigned_count + 1))
emit_finding \
"CHK-SUP-010" "warn" \
"Skill has no code signature" \
"No signature or checksum file found. Integrity cannot be verified." \
"skill=$skill_name" \
"Only install skills from publishers who sign their releases."
fi
done
}CHK-SUP-011: Skill checksum mismatch (CRITICAL)
When a checksum file exists, verify it matches:
- Read each line from
checksums.sha256 - Compute
shasum -a 256on the referenced file - Compare expected vs actual hash
- Any mismatch = CRITICAL (skill may have been tampered with post-install)
CHK-SUP-012: No skill lockfile (WARN)
Check common lockfile locations:
~/.openclaw/skill-lock.json~/.openclaw/skills.lock~/.openclaw/skills/lockfile.json
Without a lockfile, skill versions may silently drift. An attacker who compromises a registry can push a malicious update that auto-installs on next sync.
Verification Flow Diagram
+-----------------------------------------------------+
| Skill Verification Pipeline |
| |
| 1. CHK-SUP-010: Does signature exist? |
| +-- NO --> WARN: unsigned skill |
| +-- YES --> Continue |
| |
| 2. CHK-SUP-011: Do checksums match? |
| +-- MISMATCH --> CRITICAL: tampered skill |
| +-- MATCH --> Continue |
| |
| 3. CHK-SUP-012: Does lockfile pin versions? |
| +-- NO --> WARN: versions may drift |
| +-- YES --> OK: supply chain verified |
| |
+-----------------------------------------------------+
References
- Forensic analysis: "Mandatory Code Signing" recommendation
- Forensic analysis: "ClawHub Compromise" -- backdoored skills via hijacked maintainer account
- Forensic analysis: "Static and Dynamic Analysis" pipeline recommendation
threat-model.mdsection 1.5: "Unsigned skills -- no guarantee of provenance"- OWASP ASI04: Supply Chain