Security

Identity and Access Management is a critical aspect of cloud security, and as such, security is our top priority when developing and maintaining Granted. If you have any questions about our security program you may email security@commonfate.io.

Design notes

Granted utilises the AWS Go SDK v2 for all credential exchange processes including handling of the AWS SSO login process. This SDK is officially supported by AWS.

Release Verification

Glide signs Granted binaries with our GPG key. You can verify the integrity and authenticity of a Granted binary by following the process below.

Note

The process below will use v0.8.0 as the version of Granted. Ensure you change version references to v0.8.0 to the version of Granted you wish to verify when following this process.

Prior to verifying a release you must import our GPG key

# get the key from Keybase, GitHub, or https://docs.commonfate.io/granted/security, and save it as commonfate.asc.
gpg import commonfate.asc

1. Download the Granted release artifact you wish to verify (we will use the Linux x86_64 version as an example):

   curl -OL releases.commonfate.io/granted/v0.8.0/granted_0.8.0_linux_x86_64.tar.gz

2. Download the checksums for the release:

   curl -OL releases.commonfate.io/granted/v0.8.0/checksums.txt

3. Download the signature file:

   curl -OL releases.commonfate.io/granted/v0.8.0/checksums.txt.sig

4. Verify the integrity of the release artifact:

   shasum -a 256 -c checksums.txt --ignore-missing

   You should see an output similar to the below:

   granted_0.8.0_linux_x86_64.tar.gz: OK

5. Verify the integrity and authenticity of the checksums:

   gpg --verify ./checksums.txt.sig

Firefox addon security

The Granted Firefox addon operates with the minimum possible permissions and does not have the ability to read information from any web pages. By design, the extension does not have permission to read any information from the DOM when you are accessing cloud provider consoles. The extension uses a Background Script which can’t directly access web page content.

The permissions that this extension requires are:

Permission	Reason
contextualIdentities	used to manage tab containers via the contextualIdentity API
cookies	required to access container tab stores in order to list available identities
tabs	required to open a new tab in a container
storage	required to store information on the list of available containers

Additionally, the source code for the addon is available on GitHub under the MIT licence. Security-conscious users may opt to build the extension from source and install it locally: instructions on how to do so are available in the GitHub repository.

Vulnerability Reporting

We deeply appreciate any effort to discover and disclose any security vulnerabilities in Granted. We currently do not operate a public bounty program but individuals may be acknowledged in security notifications as appropriate.

If you would like to report a vulnerability in Granted, please email security@commonfate.io rather than raising an issue on GitHub. We ask that you follow the responsible disclosure model. You may encrypt your message with our PGP key printed below. We take all vulnerability reports seriously and will rapidly respond and verify the vulnerability before taking steps to address it.

PGP Public Key

Our PGP public key can be fetched from Keybase with fingerprint 65AB 725B 01E6 5C85 051F 9FD5 5024 78AB E3D8 ED71. A copy of the public key is included below.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGCb9UABEADcK6S4PPSDZRcgR4ToKvljghmL3m8v9A32CvHOTBpWumhfmHoi
9zDq/fB/vzhMcxGKrD4D64Rna3T2L2NGVEYTxwm4iwTNBNxKb1VFRlXKZtqXsYk6
JCplGLinkSROoZhhGFbJjUE5GGbnuhWgAZbJRd937rumHgA9RNXy2lV0APQo9qvR
TkOfqS8LgKNQDY7ljYcGsNgj1uWTqshsYzqm7D/QLy9L+9zR9nD7oO7yoJAmbeyO
RayAXcZZafw/SXHHZDeiuQgJwsuAP+Xgg63TGyAZgB/k73tAvw+CfNKejlan0r2u
I7JvP9RZI+q+UXVKtiWYCadvmMD6TnXpwlDguR1wF9O8I00UjSm9Uv8I4IHVlaO4
cX1NOfA4LaHEgH+43Zefkcl0kq1gkHOq34JjHf1DNAaxT4BDx8GZPIw14dXw3PLu
CF1xAjqTA5KuAH6A91ZeIkaYAWmZJeZo7HyLXhrN9oMeFY0EyAXBcnHLapHcqwlq
32eECjN1k6wgeiygNjOLvGx5n3UG5lTg3EJ3CIAwxnWROGQDnZ3u3ibxJi80saVv
IBpheTr+hIUQMal/3QKX4JRl/+CYbtypazIOc9UNRxEkRENqJTaD24ww//iyITXY
L5yXlhl5Z8nIJui4q3z1nBvmTBkF1H0BVacBPeI2abEXZjMp2L2FT7cZJQARAQAB
tCRDb21tb24gRmF0ZSA8c2VjdXJpdHlAY29tbW9uZmF0ZS5pbz6JAk4EEwEIADgC
GwECF4AWIQRlq3JbAeZchQUfn9VQJHir49jtcQUCYJv2rgULCQgHAwUVCgkICwUW
AgMBAAIeBQAKCRBQJHir49jtcXdeEACpc9jNKsZWKD6ozToKIK3/RBHNwfEIoaAb
8hvm18y51HA3ugKsSxjf2zkX8zwGpIdzM8QiMTKEAK2Ka0cYP9ZMGGE5NuzTy44S
P+MRUUvXC5QNSIfH+eD/PxNih2pxLzUGGaqMuPzHAP4aovx/0GMzFWpOR6AIgVHo
+zmygfpiWmYbBntDcMsRssTGkfnisuL/QJ7cWTl+mStg5wJybTXGdm6A6bGlqp3n
+UDjq1s9vQRfq1kFZJdu36LbG5OZMGVzQswtZtj5DOMSQWgwnJdSPjJrnFbe4ieu
3rFysdE3gu+ZFKdNN+v1FUOtwo0I3W7m2W4axJc3wpcQXbYZGw2RsAgWpKHSN8uV
zT9CYxl7MoANDvxwmQVLRFUao3qtSZVJtNo829145/dS88Auawf0PpV1yEFPf9Fk
WJQOVjSQnq8vwsoNivMOcBh+kpsYHVi9IEbMEBwK/FS79NFAl63tb4Z5JKHXLYEV
U5D/PmCFCd326QDAWzELvEAW45SH6G6TCSW2yy/Q2wf+VXfenm1THzCsIhaS0TDl
QCPM60uqzVy0Cg7TCbrIp4AKrZoAypd4fIzvsnVHZg6iqPHHT74ZKC4tyljWE0VJ
ZTqLrakjXyrNX03IHJ/qGplreOnK4sAm19kISVI3Np9XEllAhrDv8478nmM0Q66e
j14VQKjTlLkCDQRgm/vrARAAuqUKr/Gb2Il235ramYnjDzJH8zErpO90Cd7SXKMd
Btw5ArBG1k9d6QeorB/6Z21A3Xf0QphiUkfNeWXlkcewuFwDBJiIv4Y2XC/EzmxR
A9B0OX5A44TityUKWQbdNpxhNqiOEnqGqV2DVwxkOdeuaBc4cXbEKL+DRnZVMNdw
Bilakl3ZX5b8uyGXnZm4ExACi4Cs63r4vd3s0sQoT4YxiCusaVnJSsvt+Tk6qMcF
yqlWca9DBTsFXCkDCsBiXMDDkU+03rJvBsh1r+9ZqOGgrecB8hMCPrJ6omr4MLmt
wLFOFyYcsuar5IPUenws3g1NIK31kDX/I4ARN560LKovj8rSJOEFhAQ2JRPV0hJ8
iFqkq0+pJtlXMsq57SDgpaECJ+R+tkUuqal1W+cqiwW6yRP7GrqxPogJsThucES8
RiE3IT0IRBv70OYvP268Y/392p8VrBDifsy+BWfRrX6kLDSYKyCBrbeQ8dA4uk7Y
ZJg1p5uevCiCOQ+MbFucRHxHaLv7xf+3Gvac8R2F///T4NjxdcNWorz158ZuOb1G
3uN/4auwNFcDKv2+ASeTgTLZP1VBuOB9fieyY/9YI1d5wcxKQ+z69NQjYJNkxs7P
HZWEakuztIWna72KqEYVMs4+tVyli+2dkcJD8KpHlvoVKH6Vl7KCiic5lx6FPf+K
u0MAEQEAAYkEbAQYAQgAIBYhBGWrclsB5lyFBR+f1VAkeKvj2O1xBQJgm/vrAhsO
AkAJEFAkeKvj2O1xwXQgBBkBCAAdFiEEEOpsCUoAPpLrr9eQ7h1EHJHTBIUFAmCb
++sACgkQ7h1EHJHTBIXXMQ//b3o+gHVF4F82VXGA5HGu0I/Z+0Zn8NMNI9qRYDmp
DrMT4K8/XWqrPrGVORdDyd48CCMVfMrOEetWPmvd2JPSwJ/0flgwi0NdskMZN4D7
hrvva9WA7M43UV5ACqoulKg9wwsBc3ei9ee+xV5lenoKoaRkhUxP8VyMydPQy7MS
tz8LrX5KMFnITitus8U1fO8s9jdrdAbhDJGhDG2Qxn67DFDtgoUZv1Xk3GAM9pyX
L1Fn74waRGqaKRUx6BZA03DPPkbOuHAKGfCmsBqLMSWuVtx9JReL5DHZlSnK4guM
d3EBinYfF/gOU+OsujFhLPeDwh6D4cfYEyMQsmL6VNWlX4p75cHrtjDPIPwsDu1s
5gf37WwalrX68cbovoDJvO11VSLFy6cqDWfc25k1TYjDClb2pVwyL+kyoreBeSVD
SLI5aEgK22q5BxznLzbWnCgXi0+VdrbmRXi8LRepns5mfgWD/kOJgTAZRfQNb1G5
vLx+gxOv0h8m1aIXSPHlk1NQRBumpd4CgEsWaod5q7LhYOeP0hys8k//hWU2XWsy
v45jBAcDO6XR37uys5CE7w9e+q0cQDSx7xmuy+DW9oI65+RKcK3muGesBnoAf9BE
YsQkg6/cijiPwda3IDhptHm5R3pfqZPDlziTeEKx/TBoQHNWmwI3AYH1v1aFsWeU
+f82Cw/9HWMFl3zo3KbWI4tdHTIOgD6UpeInXs45gXMDs/iw4mNQWnCcLDngwI82
o0AZHX25WKmHSg6LEAoQgE/GpSBo4tzOcDftsUa8/zDpW88faNTKTcaxjVUuixsx
xTgRF2hAwLYDZ/UcOT0hMrM2FN4K/2QpZQLOCQOSU8hdSPHIW/Kop7F/Horwt4Sl
yyWehBH4CRy6WXokoa2kBGchfTQ2h8ROuIAF45ODvwzfBxzpl4FnTZVbsv1Sh+9n
h8PQfjcBoH6o/c5Ti5iBmUKWIlGcnTceaT4quOVy7dYOueO89phVfh12EX1fOifn
zZtx5pHGGT9atgCcXY0CAgmzR1oFfge6+wZX9DAOYPicl8gnWSBnwYzOLEu7+5df
OmbADgOWDYwSxtaWdoXnQzizUYHcRerwVGsuqhb7CcQ5FiZgOX6EIpCitlz9gznG
PPsVpxOVETwcARmwLAo+yfL4Ci5ArNaauisxGO4ioDZvTuUgzFfMDVDINizwa8tG
0BSfD7EHeCs6pRA6HbHfSsBQ+gdCI0LnT0b+S8G5C4YCaGIGhvnHG8sCYan44ZNo
47Ez4Z1hPjgVwo2I+grqvRStnRs8i8O18z5xLwx9g5o6FUjXm3ez/MylV/UoL3zB
arzOaipAdOuTFwxC95aansKixfjvulqFbbJWRzx96Ipr3NoSP+g=
=DqSH
-----END PGP PUBLIC KEY BLOCK-----

Linux package checksum verification

Common Fate’s Linux repositories are signed with a separate GPG key. The key is available at https://apt.releases.commonfate.io/gpg and has the fingerprint 783A 4D1A 3057 4D2A BED0 49DD DE9D 631D 2D1D C944. A copy of the public key is included below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZmsfPhYJKwYBBAHaRw8BAQdA6w+QuabknOX5wi4lDiQVVIUxfPLcaw7Ls86g
FXnrcXm0W0NvbW1vbiBGYXRlIChDb21tb24gRmF0ZSBMaW51eCBSZWxlYXNlIFNp
Z25pbmcgS2V5KSA8c2VjdXJpdHkrbGludXgtcmVsZWFzZXNAY29tbW9uZmF0ZS5p
bz6ImQQTFgoAQRYhBHg6TRowV00qvtBJ3d6dYx0tHclEBQJmax8+AhsDBQkHhM4A
BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEN6dYx0tHclEPncBAO8jDZSs
DzkDbAd6yR5NPZj5Ihj7V1Umyv0edswcnRt1AP9WeXILrDz9wUNlUHaSLNPOnd6w
+0v0XoxKXIAnlaNmDbg4BGZrHz4SCisGAQQBl1UBBQEBB0CSyARqgC+EyIisU8QJ
rCuYiYnwvATvZy32trbgdZ+DLQMBCAeIfgQYFgoAJhYhBHg6TRowV00qvtBJ3d6d
Yx0tHclEBQJmax8+AhsMBQkHhM4AAAoJEN6dYx0tHclE9DkA/AjeWnkJDSQ5iyEw
UMeBbK343uNksWs7O7OnbnpMd9BuAQD4rhK2PWqEB5DMdZUARnBI7b0qBH+yKr2O
1JkwcpcaCQ==
=TJJ4
-----END PGP PUBLIC KEY BLOCK-----