besides the unencrypted http connection on port 80 focused on in issue #293, there is another connection visible when following the same instructions:
Reproducing build from remote manifest...
⣼ Reproducing enclave image[2026年06月15日T05:36:17.122Z DEBUG reqwest::connect] starting new connection: http://codeberg.org/
⡟ Reproducing enclave image[2026年06月15日T05:36:17.563Z DEBUG hyper_util::client::legacy::connect::http] connecting to [2a0a:4580:103f:c0de::1]:80
⣧ Reproducing enclave image[2026年06月15日T05:36:17.865Z DEBUG hyper_util::client::legacy::connect::http] connecting to 217.197.84.140:80
⠿ Reproducing enclave image[2026年06月15日T05:36:18.483Z DEBUG hyper_util::client::legacy::connect::http] connected to 217.197.84.140:80
⣹ Reproducing enclave image[2026年06月15日T05:36:19.096Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("http", codeberg.org)
[2026年06月15日T05:36:19.096Z DEBUG reqwest::connect] starting new connection: https://codeberg.org/
[2026年06月15日T05:36:19.097Z DEBUG hyper_util::client::legacy::connect::http] connecting to [2a0a:4580:103f:c0de::1]:443
⠿ Reproducing enclave image[2026年06月15日T05:36:19.398Z DEBUG hyper_util::client::legacy::connect::http] connecting to 217.197.84.140:443
⣼ Reproducing enclave image[2026年06月15日T05:36:20.017Z DEBUG hyper_util::client::legacy::connect::http] connected to 217.197.84.140:443
⡟ Reproducing enclave image[2026年06月15日T05:36:23.399Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", codeberg.org)
Here, the connection appears to try http on port 80, and then upgrade to https and use port 443. I believe this is due to the forge (here codeberg.org) requiring https or ssh rather than caution requiring or seeking an encrypted connection.
verification (via caution verify) appears to generate candidate source-archive URLs that can prefer plain http:// over https://, and then downloads from the first URL that works. That means an on-network-path attacker could tamper with the application source during reply whenever the endpoint answers on port 80, or when the attacker can intercept plaintext traffic on route to the endpoint.
The downloaded archive is then unpacked and built locally as part of verification; therefore tampering is not limited to causing a verification mismatch, it could also potentially feed attacker inputs into the local build.
execution path appears to be:
build_and_get_pcrs(manifest.clone(), no_cache, None) (defined here)
uses enclave_sources which is a Vec<String> from an external manifest.
The manifest is used with git_url_to_archive_urls which strips out the host and the path and then creates a Vec<String> on this line, crucially beginning with http (and including one other http protocol based URL).
this is bound to archive_urls
which is used as an argument in download_and_extract_app_source_with_git_fallback which will use archive_urls as an argument in download_and_extract_app_source_with_fallbacks which simply iterates over the Vec.
I believe this means the http protocol entry will be read and then used first, accepting the first success, without requiring authenticated transport.