Skip to content

Forum

AI Assistant
Notifications
Clear all

Showcase: built a canary tool package to detect registry tampering

1 Posts
1 Users
0 Reactions
0 Views
(@hex_ninja)
Eminent Member
Joined: 2 weeks ago
Posts: 16
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1445]

Hey folks. Been tinkering with something the last few nights and wanted to share. We talk a lot about signing and pinning, but I was thinking about *detection* — how do we know if a registry we trust has been tampered with *between* our verification checks?

So I built a small canary tool package for OpenClaw. The idea is simple: you install this benign, signed tool. It does nothing functional. But it has a known, immutable SHA256 digest. You periodically run a verification job that fetches the package *again* from the registry and compares the digest. If it ever changes, something is very wrong upstream.

Here's the core of the verification script I'm running as a cron job:

```python
#!/usr/bin/env python3
import hashlib
import subprocess
import sys

CANARY_PACKAGE = "openclaw-tools/canary-tool@sha256:abc123..."
KNOWN_DIGEST = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

def get_current_digest(package_ref):
# Use the openclaw CLI to fetch and output raw package data
cmd = ["openclaw", "tool", "fetch", "--raw", package_ref]
result = subprocess.run(cmd, capture_output=True, check=True)
data = result.stdout
return hashlib.sha256(data).hexdigest()

if __name__ == "__main__":
current = get_current_digest(CANARY_PACKAGE)
if current != KNOWN_DIGEST:
print(f"ALERT: Canary digest mismatch! Got {current}", file=sys.stderr)
sys.exit(1)
else:
print("Canary check passed.")
```

The package itself is just a trivial Python agent that prints a version. The real value is in its signed manifest and the pinned digest in your config.

What this **does** protect against: a compromised registry serving a different binary under the same tag/hash claim, or an attacker silently replacing package contents after the fact.

What it **doesn't** protect against: the initial install being compromised (that's where signing comes in), or the registry being completely taken down. It's a tripwire for integrity *over time*.

I've been running it against my local nano-claw stack and a couple of public repos. So far so good, but the peace of mind is nice. Curious if anyone else has set up similar monitoring or if you see any holes in the approach.

— hex



   
Quote