Security
Identity and Access Management is a critical aspect of cloud security, and as such, security is a top priority in the development and maintenance of Granted. If you have any security questions you may email granted-support@fwdcloudsec.org.
Design notes
Granted utilises the AWS Go SDK v2 for all credential exchange processes including handling of the AWS SSO login process. This SDK is officially supported by AWS.
Release Verification
Granted binaries are signed with our GPG key. You can verify the integrity and authenticity of a Granted binary by following the process below.
Prior to verifying a release you must import our GPG key
# get the key from Keybase, GitHub, or https://docs.granted.dev/security, and save it as granted.asc.gpg import granted.asc-
Download the Granted release artifact you wish to verify (we will use the Linux
x86_64version as an example):curl -OL releases.granted.dev/granted/v0.38.0/granted_0.38.0_linux_x86_64.tar.gz -
Download the checksums for the release:
Terminal window curl -OL releases.granted.dev/granted/v0.38.0/checksums.txt -
Download the signature file:
Terminal window curl -OL releases.granted.dev/granted/v0.38.0/checksums.txt.sig -
Verify the integrity of the release artifact:
Terminal window shasum -a 256 -c checksums.txt --ignore-missingYou should see an output similar to the below:
granted_0.38.0_linux_x86_64.tar.gz: OK -
Verify the integrity and authenticity of the checksums:
gpg --verify ./checksums.txt.sig
Firefox addon security
The Granted Firefox addon operates with the minimum possible permissions and does not have the ability to read information from any web pages. By design, the extension does not have permission to read any information from the DOM when you are accessing cloud provider consoles. The extension uses a Background Script which can’t directly access web page content.
The permissions that this extension requires are:
| Permission | Reason |
|---|---|
| contextualIdentities | used to manage tab containers via the contextualIdentity API |
| cookies | required to access container tab stores in order to list available identities |
| tabs | required to open a new tab in a container |
| storage | required to store information on the list of available containers |
Additionally, the source code for the addon is available on GitHub under the MIT licence. Security-conscious users may opt to build the extension from source and install it locally: instructions on how to do so are available in the GitHub repository.
Vulnerability Reporting
We deeply appreciate any effort to discover and disclose any security vulnerabilities in Granted. We currently do not operate a public bounty program but individuals may be acknowledged in security notifications as appropriate.
If you would like to report a vulnerability in Granted, please email granted-support@fwdcloudsec.org rather than raising an issue on GitHub. We ask that you follow the responsible disclosure model. You may encrypt your message with our PGP key printed below.
PGP Public Key
Our release signing PGP public key has fingerprint 59AD 05A4 DA73 FD45 BABB 0D14 236F B5E3 8552 8EB4. A copy of the public key is included below.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGnILe8BEAD0nSczxdAUrl6HTeVThkHwHBS/mcD/3516QgBILXWDISLwbo5YaHKM341gru7dcSa2eD1JqDRrKstN9pSoxoAQzc9eF06CyuIx5tvBbOPWmfAidKr2H14Sx9M5NbMVVgsRcSs3HY6xiCGUtVWV9jRAoxgOb7u1p4azT6AELqRwyXvVzaC2VMIfL1RGt0DVLgxAbjOD0ShCLHcN/GThZE3NCfIyrL/fx2vhDWWBq9O4jEXvP4/mzEUjpCGkqXI2KQu2MgXElQmUnHGdUrv4YvUOfk61JnD+PfKK8K+2Lxe5l5UdV/YdFHCffy3B81c0UjsN0VJHQQMtxsRH/2HsD4bWG8jmJ44YC7Y1IViRHXh40tOAfFmhOlRqsCxpWE60pT4ws0iY8HSOOdgdy8ogyMmM9cPkfY9Ga5xKBebfAWCSVqLjMxzG+lglN2QwW9uQLx0Wlr9wd842P+kFhomJgh50BVssWM3/TjUBJr+FeEB+aQiX3dSOeX9Lvuzv3xZpNzl58f9jLJRg2jVivG/HxGbvH+/hLn7CiMhDzn0cCwv7bwQZSztvuxk1nDhiazwXM8Lg4FtB5k2JVM7h4iyKConsR/2EYtXJlQ7zTAodFC//OivVsKSPMWeUSLct5muMkycCyMNrQe14zLA8kMS3kxBR7tm4X9ibFvTGFJ/YtjeFJQARAQABtCtmd2RjbG91ZHNlYyBSZWxlYXNlcyA8cmVsZWFzZXNAZ3JhbnRlZC5kZXY+iQJRBBMBCAA7FiEEWa0FpNpz/UW6uw0UI2+144VSjrQFAmnILe8CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQI2+144VSjrQO8w//YAqE+YvC7z3n+dzkG/kHuJwGtgcSCdB3fSGOTbK4tgNsMSlMioBTpHXKSkEJO/mxwErZhASmTM4HYqb4Gqu0F7BNZk01I+lerG1h//7SK6Ugnj52DAX6Do1aME/wL0MYYInOnMPMWAWqxa0Vr9pNycMnAdfVMb4nZCfqWPUTj/6CCUibX/j/6F7i3CqdeDJcS1hlly+yhHZcBVlageQ4Oq9N202q1e6VN5ImUZ0kCWVXroa0t7jv7hFWTV3bn5JtSLYZ8grnWejLT3WNKkksrTluHdVPgP+k5YCzgnVdM6marzQXYiqcKVT4Bk2kgVzQbNvGsMOb0fh4gFz56fz3yoFcSSNflFtKhoLdk998yPp3qCp+6M+sLo/ooCpsr32ay6ZKnR9xwruGtY9WUrhFtumb9VZc0dmnfixFu60+zfXCdVgCndLAZUNekTLVNUTIahLo3HCmtP2TJ+AKR92Nv6+bcOJm1fdLsBszaeyAqIzH63mAgEgQlIqI2G21boMF04AnYsaSc8+rZITBllk8AYW5Gbdbdjepbj1LWtoHGMFuGW3tGJb3cc6i3BKRNfaWqv86uw132EMITYj4bgU7mjBYfXDCswcsUwwtaY3yoB4npYOkaeETsrdwYKno2TkMQ9HH9BwCuHctd6iKCGjGiC0O7vHSpn2vkeUS50Wqk5S5Ag0Eacgt7wEQAMGCGSxJ0ckLs5iLWxFCg9XPcF0RT/FKbBjiaugxQs/DxoSQ7BE2dfZXAc1Uc57pNkFKfgBqMqZN8RumT3bkHKY64HdUdj45OfqAPqHXn8rnoFxR0Uzh7WR3PW5/7t/iV0j4iNA7WEVTpLN30iDrjGS+CuyoVitVKOhhiqDEf31AbQvbGfKCce56lGMOFLn532+/DzQCfQhoJrQ8hA7R2wAFZUaPYk2Fb63DqZtAivhMVVlN82HP/CffDxZyPmEjcBHKSNdV/ebzLzQeaL1Ezoc8Vn0n/Ck08OgGh3aaiJxcB4k+Bu8tt9SmV2AVSYiXkqNYPWO/JnCIOm425aAmbcetieJ7+D/117k2xn9Oi68Q9B33u4mVFuWDomXcmptbPeLRV+4Rp65Gvh2blPPREI0B2ywohxi0jR5GcF/QBk4Qzg8sIxQ5cwAspSvgKHk32VOJMZR7HHkmol0DBlClJy1qhADNNTPLtc2o6JjhiOGzc8jgSeKddXk/Trjfoxl5TabP+j9gTNGkfQiUfe0Mx3GIV/x+xnWSE/6Fgn/65FvNZG+phE6gPDpAfL/Hv/1aL3/NgcXLdOggNZKlL1Z18OicZLyH5ePXvh0MCnE9GXMgkyZz93N0PoCt8DFJ+4sP68goSd4PO5fLBh7V0pyBxsyIDlZelVFJXkIgVkjdYyRHABEBAAGJAjYEGAEIACAWIQRZrQWk2nP9Rbq7DRQjb7XjhVKOtAUCacgt7wIbDAAKCRAjb7XjhVKOtCk4D/oCBA4LOCa+PCwZ1BmVhegu+2xmz2yzcdJ8saspp9p8+yJH2lgLzXDm6uhA5ANBA+TxrEUoZPRde4Rx6/RqvZZCeIjgbQuCONwc7Q+opGdEvAiiTHezaEqphwwy8i/PYGwAP1GdR22yra2qiwdbkyKQEV6nxx3p1cLHPbnJDdAwOm/+zmL9jIHhim7/2Jh7SfujA/FdN9sMktM6P7BOOAG/rUMsbpDUAB9/MPFpfODA7InLE2GT1of1SsksL66gd4HiiEYlWdy28lDWWtJeMPTBm3cCokxNO44IZN6Qqmp44/R/fnAM6RhwvGGVhFq8mcWn72KVVSxV/ncbrJfSHFWzHA2WOLcQDGhDBOEMiYpX5/0Ewutk/fLhlrJCEMsfgtzt0HOSoUUbx1khHFPWt30Agqdhac4WeyTYTeyArQwQ+Lukhw5fQRyi6Aqr41YZcGNqbeywFehDyW1nPcftr+CBnovcAA8AQvVoUADP6BuTORfq/HuUIk9YjFpyqE6/PY/OFreE+4IjLWC3yzj6Dt833sZJpNxUevawqa9GZIB8E1zNoFWwSk/xL4j4iutbkfKrHddubwvwJUglzm+28xUkJ4vyiXmCUFE3u0eyeJAybmkm0A2LWA/5p6Ai02YFREfJc34aNp0K84anU2E3uTF5q/uHyW4wrTAMWpZF8QMyDw===hl9c-----END PGP PUBLIC KEY BLOCK-----Linux package signing key
Our Linux APT repository is signed with a separate GPG key. The key is available at https://apt.releases.granted.dev/gpg and has the fingerprint B608 F73B 86DF B0E0 C49E B973 CBCC 5289 67C2 0914. A copy of the public key is included below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGnILjoBEADZ9MihFtgJPg6446fgT+D5yqVaVRnDB4SEyCb4+ZXQGcS0Np0V5VzDUENe847wT6dRMijrlddRDqX9stsDEWGrPLoQqzffrBUwvL6O33NZmRpqKropD+8W7Tj2H8w8qsq7LJbffkBchBs+PAz9YsXWDDn8ad+Zl9+JXAP1Qaa2/dMWtq/E8/JfcfzSmA9pFsfXhRzloF96UYxVncD55BYKekUSJnIKFoAISMCpcZz9nob256pViWGpheYTzy4VavW8uQfUXOUFooNihfXcJW0bbh9zyRosxv5WX0Ga0MKEr4xDVd5ZwSm6kklxwSAEIikn23JsBbp6912aC0AsWN9yFdem89IhFkIOAvE7sa8gF7HCPkDhTySjkQC3cMsRjK3xbqhGehumsxBosb1UG640G2lSn0IOBPogZFwQHC1EYFcnj5yv8KJu41b/FRw9XG5gdzsKVJKfT0RoknKxXIZYL6Ip9pobXBjOjD+6TFSldlt87+FBPukcm/BD5ABzg81KwUaG5WS9owJjgM4RHOrEEuHbHoAIm+cr2PJAc9JwI4jxAG7j5pYQU5r40mS6aaSUZxRWGimOacn8KYZ1VbHD+VvdemPnkuZSqAAAbZxKUEEvr0+3tILLIPHuF4O8w0DBNDbY1vI2Ocrn8WPxRbZ2gVXJDtJUavpXISajAxUULQARAQABtCFmd2RjbG91ZHNlYyBBUFQgPGFwdEBncmFudGVkLmRldj6JAlEEEwEIADsWIQS2CPc7ht+w4MSeuXPLzFKJZ8IJFAUCacguOgIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRDLzFKJZ8IJFGPNEACn2mIy845X5VIxVDZkU2Qcf0+aQEsvCQ8YROIlMLeDER2yQuXbNPiFnRcaBfKJN2YAXBVE2VuCVlkBjWBjcdvbuTd+lsHNpEEf3LP/k6blhG76JeF5XQbzPkhES74MCYL3MbTapU3UOlx1AqkofhENUj5Pacl7ViRSSMXqgPXdJXGy2w1qUPyX4IAv3etfP9pvrg4qjeEcmOexG4uP3gUOROODCRGcJ5loaFHRl6+Z2OuCFyPJo7xEovamftqYYzK0w8OMuOkzUL55EUcvzbI0lfnE3gRcuRXZ0NjacTbdxbjLOynODmjokzs06vQodGk49fgGA6wuWLxfikwO+dmb4V7VfwXtXBM+VU33+FSpLxeyaXJCE5Y90oJk58iYhh7EV2z0B5xl9ZGDpfrdRO4IWIOhdKMGTExDJvGxR2+xf9M/kKhb0mjr3UBoCLEIvVihDsSs9YuuyVlOUFyY7CtflHXmAZHp/+w0dDFONpL9v8ydUBe0HEByrABs9y4sd54v0HcOfUQ6jGi1hctcq45SYWszvvtxUuj0LeAccNW+oeRnF+P6bqVlH6QGkEgiQhx+DdOqWgzjP7YFCLF3lBGdk2ujS880cGsRxThbxd3kbBdyjyeKa6KGjg8zKUQ18Bx0AncNlD1EBtd8T0m+McBPUiKtRqfP1OsAknsuaa8TXrkCDQRpyC46ARAApHvixNx61O9x5AhqJat6JMQbLJ7icAekVN8SoV4jGgGwvsjggwYsWhcj9qE8vM/QWJaj+cQQ3JntY8zdyjKv4pP5yw+JECQ51i3IPGBie4dU1KX/d9fJ28LzdMPp73DfYfl/+i+nhwBLMpJvSrUsR2MVCylQ/l5Wh5W+WvAlnfoX2gweBHm0rqw7xz28rG81Xx3KQUwd+jZnYUfwuJS83dHrpXYvVUxU24xn7X506P46PG4xn14Ow6rD3vhWu5btd3WQZe0Q5LGQzpJFsrQ7b3KGi40N3Z0VLJ7v8PgyWmeTPIKhAjw/hbdWZV+qg6fjzLgdrmv1EqOaeoE3BisXCq5oTXIIbB2Tck8JV855XukNDnKmLs4TnXoIOvPwYXMgyK09y155icIrdDbl7nSPHk7Ql8vy+oOhNMan+QB9GAlnon2eQBR+Ov4e/BuI93uTy0s8In9sQnTB3echE5ICjliJOtWj8bWnzOzV7dEytPhCsYXw65bhez/p5w7KM3Ak9korFtLEpKz5nkZUn1f1QxMY6gOvFsDdrwkRpk3qRrrLe4U/tEdAQSEQ9/N6tdpIeHvikR+hfhM1DguQ25ETDXiRIWv/2atA32Yb5N5cUIY2eJ2jg+wXvcbuAbJ+UHaPhiNdVG/02+MXLsevF2k5BQeyMuufLER33b4hHKQEnp8AEQEAAYkCNgQYAQgAIBYhBLYI9zuG37DgxJ65c8vMUolnwgkUBQJpyC46AhsMAAoJEMvMUolnwgkUDxoP/jXJE8YAP0ENy8Rz2fK36Y1k3IJctHAYpvvp9sZq1UI8NZPRMEkk9blN18SLCjtbbmrzBjLXM1JL6Dhew5GyHpKwenhTuYCpy1YVkaZHZv3A6l2E4J/IKgrEkxQZYBPwgoysqTZaYwaK9Oe5HcXJNy/HXhfnlbgYvm1kCwZFAXWGvBnqPfOsooevd+whgHZQym5yTT4X9Ym/Rc2cvHk50QBQbolbxq/uaTn/4oMRg/isrjcIjEZbZh4atyEbTiCDbgAeat7vTJ1sHBhroOwBaEpwxPIvd17c+ZNbeiPAHqlhc9nRgnNdm617c0DSfX9VStVZzvFPmxr5gEeivYE3KzFH0hx4pWOT7A9Uc8tzRujqPZ46XmE8rGpj//LWWp+a6aG6KzRUpctEqGSuYyBLoAxmZOROnWG85xizdHyOIEUltXf6fZcQ3V5l2zCLaGVTyXtVYYpRGeUqVlXrRjAB1Y+HE3AzUD75IQ1WLlSmrBkhsEoPTidNqZr9/qTtaOxhsh6JabdS/tH84KhwxYxVI9qZGoyJFPcZkvBDygyl+EOXMaugzZpeApZkyqSeTKq+mqUM2wn6VifVVFXnOJsUCagN1auzT2SV4XD212dRcVqOXPbrsJYJLMK0eeEsGwCLGPMwEDU0LvMrhldDhS8nVNS0d6emzoCmkAZyXQrKpKpO=TwzY-----END PGP PUBLIC KEY BLOCK-----Legacy keys
Keys used prior to v0.39.0 (Common Fate era)
Legacy release signing key
Fingerprint: 65AB 725B 01E6 5C85 051F 9FD5 5024 78AB E3D8 ED71
Previously available on Keybase.
Legacy Linux package signing key
Fingerprint: 783A 4D1A 3057 4D2A BED0 49DD DE9D 631D 2D1D C944
Previously available at https://apt.releases.commonfate.io/gpg.