Google Git
Sign in
pigweed/third_party/github/protocolbuffers/protobuf/refs/heads/upstream/validation_protoc_authentic^!/.
commit
c810c80c608311531353b0b9a766c4026cc4b704
[log] [tgz]
author
Alex Eagle <alex@aspect.dev>
Tue Sep 16 19:20:46 2025 -0700
committer
Alex Eagle <alex@aspect.dev>
Tue Sep 16 19:20:46 2025 -0700
tree
c271b3be102286044b287b430c7cad762c1f5356
parent
a739f21b54ebd342dba3a2823bccc5c1850c5922 [diff]
chore: show a validation action

diff --git a/bazel/private/BUILD b/bazel/private/BUILD
index 8c1c94a..7a85233 100644
--- a/bazel/private/BUILD
+++ b/bazel/private/BUILD

@@ -1,5 +1,11 @@
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 load(":native_bool_flag.bzl", "native_bool_flag")
+load(":protoc_authenticity.bzl", "protoc_authenticity")
+
+protoc_authenticity(
+    name = "authenticity_check",
+    visibility = ["//visibility:public"],
+)
 
 package(default_applicable_licenses = ["//:license"])
 

diff --git a/bazel/private/proto_library_rule.bzl b/bazel/private/proto_library_rule.bzl
index 8077fa3..7ad6311 100644
--- a/bazel/private/proto_library_rule.bzl
+++ b/bazel/private/proto_library_rule.bzl

@@ -375,6 +375,9 @@
 for use with MessageSet.
 """,
         ),
+        "_authenticity_check": attr.label(
+            default = "//bazel/private:authenticity_check",
+        ),
         # buildifier: disable=attr-license (calling attr.license())
         "licenses": attr.license() if hasattr(attr, "license") else attr.string_list(),
         "_experimental_proto_descriptor_sets_include_source_info": attr.label(

diff --git a/bazel/private/protoc_authenticity.bzl b/bazel/private/protoc_authenticity.bzl
new file mode 100644
index 0000000..4993ccf
--- /dev/null
+++ b/bazel/private/protoc_authenticity.bzl

@@ -0,0 +1,42 @@
+"Checks that the protoc binary is authentic and not spoofed by a malicious actor"
+load("//bazel/common:proto_common.bzl", "proto_common")
+load("toolchain_helpers.bzl", "toolchains")
+
+def _protoc_authenticity_impl(ctx):
+    if proto_common.INCOMPATIBLE_ENABLE_PROTO_TOOLCHAIN_RESOLUTION:
+        toolchain = ctx.toolchains[toolchains.PROTO_TOOLCHAIN]
+        if not toolchain:
+            fail("Protocol compiler toolchain could not be resolved.")
+        proto_lang_toolchain_info = toolchain.proto
+    else:
+        proto_lang_toolchain_info = proto_common.ProtoLangToolchainInfo(
+            out_replacement_format_flag = "--descriptor_set_out=%s",
+            output_files = "single",
+            mnemonic = "GenProtoDescriptorSet",
+            progress_message = "Generating Descriptor Set proto_library %{label}",
+            proto_compiler = ctx.executable._proto_compiler,
+            protoc_opts = ctx.fragments.proto.experimental_protoc_opts,
+            plugin = None,
+        )
+    validation_output = ctx.actions.declare_file("validation_output.txt")
+    
+    ctx.actions.run_shell(
+        outputs = [validation_output],
+        tools = [proto_lang_toolchain_info.proto_compiler],
+        command = proto_lang_toolchain_info.proto_compiler.path + " --version ; echo 'protoc came from an untrusted source, we do not support this. To suppress this warning run with --norun_validations'; false".format(),
+    )
+    return [OutputGroupInfo(_validation = depset([validation_output]))]
+
+protoc_authenticity = rule(
+    implementation = _protoc_authenticity_impl,
+    fragments = ["proto"],
+    attrs = toolchains.if_legacy_toolchain({
+        "_proto_compiler": attr.label(
+            cfg = "exec",
+            executable = True,
+            allow_files = True,
+            default = "//src/google/protobuf/compiler:protoc_minimal",
+        ),
+    }),
+    toolchains = toolchains.use_toolchain(toolchains.PROTO_TOOLCHAIN),
+)
\ No newline at end of file