Skip to content

chore: show a validation action#23539

Closed
alexeagle wants to merge 1 commit intoprotocolbuffers:validation_protoc_authenticfrom
alexeagle:validation_protoc_authentic
Closed

chore: show a validation action#23539
alexeagle wants to merge 1 commit intoprotocolbuffers:validation_protoc_authenticfrom
alexeagle:validation_protoc_authentic

Conversation

@alexeagle
Copy link
Collaborator

@alexeagle alexeagle commented Sep 17, 2025
edited
Loading

Rough sketch of a way to check whether protoc is an "authentic" release from the protobuf team.

We create a single validation action, and then forward the validation output group through proto_library to ensure all users should hit it.

Next steps to make it real:

  • instead of just checking protoc --version and then failing, we should checksum protoc and verify against the expected hash

demo:

alexeagle@aspect-build protobuf % USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto --norun_validations
INFO: Analyzed target //rust/test:parent_proto (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //rust/test:parent_proto up-to-date:
  bazel-bin/rust/test/parent_proto-descriptor-set.proto.bin
INFO: Elapsed time: 0.210s, Critical Path: 0.00s
INFO: 1 process: 1 action cache hit, 1 internal.
INFO: Build completed successfully, 1 total action
alexeagle@aspect-build protobuf % USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto                    
INFO: Analyzed target //rust/test:parent_proto (0 packages loaded, 0 targets configured).
ERROR: /Users/alexeagle/Projects/protobuf/bazel/private/BUILD:5:20: Action bazel/private/validation_output.txt failed: (Exit 1): bash failed: error executing Action command (from target //bazel/private:authenticity_check) /bin/bash -c ... (remaining 1 argument skipped)

Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
libprotoc 33.0-dev
protoc came from an untrusted source, we do not support this. To suppress this warning run with --norun_validations
Target //rust/test:parent_proto failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 0.136s, Critical Path: 0.02s
INFO: 2 processes: 1 action cache hit, 2 internal.

@haberman
Copy link
Member

haberman commented Oct 29, 2025

I wasn't able to reproduce the output above. I get:

$ USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto --norun_validations
Starting local Bazel server (8.4.2) and connecting to it...
WARNING: For repository 'rules_cc', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'bazel_skylib', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_java', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_shell', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'googletest', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
ERROR: /usr/local/google/home/haberman/jj/protobuf/rust/test/BUILD:36:14: in proto_library rule //rust/test:parent_proto: 
Traceback (most recent call last):
	File "/usr/local/google/home/haberman/jj/protobuf/bazel/private/proto_library_rule.bzl", line 116, column 24, in _proto_library_impl
		OutputGroupInfo(_validation = depset([ctx.attr._authenticity_check[OutputGroupInfo]._validation])),
Error in OutputGroupInfo: for 'output group '_validation'', got a depset of 'depset', expected a depset of 'File'
ERROR: /usr/local/google/home/haberman/jj/protobuf/rust/test/BUILD:36:14: Analysis of target '//rust/test:parent_proto' (config: 209a934) failed
ERROR: Analysis of target '//rust/test:parent_proto' failed; build aborted
INFO: Elapsed time: 3.645s, Critical Path: 0.03s
INFO: 1 process: 1 internal.
ERROR: Build did NOT complete successfully

(Sorry if this is due to my slow review -- perhaps something bitrotted in the meantime).

@alexeagle alexeagle mentioned this pull request Nov 17, 2025
Closed
alexeagle added a commit that referenced this pull request Nov 20, 2025
@alexeagle
feat: verify protoc as a validation action
c94bdde 
Gives some protection against a repo accidentally registering a protoc binary on the toolchain that doesnt behave as expected.
Based on #23539
@alexeagle
Copy link
Collaborator Author

alexeagle commented Nov 20, 2025

Rolled into #24115 at protobuf team's request.

@alexeagle alexeagle closed this Nov 20, 2025
alexeagle added a commit that referenced this pull request Nov 20, 2025
@alexeagle
feat: verify protoc as a validation action
1fd7854 
Gives some protection against a repo accidentally registering a protoc binary on the toolchain that doesnt behave as expected.
Based on #23539
alexeagle added a commit that referenced this pull request Nov 20, 2025
@alexeagle
feat: verify protoc as a validation action
6dce826 
Gives some protection against a repo accidentally registering a protoc binary on the toolchain that doesnt behave as expected.
Based on #23539
alexeagle added a commit that referenced this pull request Dec 9, 2025
@alexeagle
feat: verify protoc as a validation action
dcafa26 
Gives some protection against a repo accidentally registering a protoc binary on the toolchain that doesnt behave as expected.
Based on #23539
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haberman haberman Awaiting requested review from haberman

@mkruskal-google mkruskal-google Awaiting requested review from mkruskal-google

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexeagle @haberman