Authenticating binary substitutes

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: ludo@gnu.org (Ludovic Courtès)
To: nix-dev <nix-dev@cs.uu.nl>
Cc: bug-guix@gnu.org
Subject: Authenticating binary substitutes
Date: Wed, 22 May 2013 17:12:20 +0200	[thread overview]
Message-ID: <8761ybcaln.fsf@gnu.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]

Hello,

Currently the “binary cache” substituter relies on DNS to authenticate
downloaded binaries: anything coming from, say, hydra.nixos.org is
considered authentic, because hydra.nixos.org is listed in the
‘trusted-binary-cache’ list.

This is obviously subject to person-in-the-middle attacks: one could
connect over Wifi to somebody else’s network, which happens to redirect
hydra.nixos.org to evil.example.com, and end up downloading evil binaries.

I was thinking of a simple extension to solve that:

  1a. The /nix-cache-info file would contain an (optional)
     ‘OpenPGPFingerprint’ field, to announce the fingerprint of the
     OpenPGP key used to sign Nars.

  1b. In addition to, or alternatively, a /nix-signing-key file would be
      served, containing the OpenPGP key used to sign Nars.

  2.  In addition to serving, say,
      /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1, the server would
      also serve /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1.sig, an
      OpenPGP binary signature of the uncompressed Nar.

WDYT?  Could this be implemented in Hydra?

Ludo’.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

next             reply	other threads:[~2013-05-22 15:12 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-22 15:12 Ludovic Courtès [this message]
2013-05-22 15:42 ` Authenticating binary substitutes Lluís Batlle i Rossell
2013-05-22 16:05   ` [Nix-dev] " Ludovic Courtès
     [not found] ` <519D0DA2.8030506@logicblox.com>
2013-05-22 20:16   ` Ludovic Courtès
     [not found]     ` <519D2D5A.9020808@logicblox.com>
2013-05-22 21:48       ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8761ybcaln.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=bug-guix@gnu.org \
    --cc=nix-dev@cs.uu.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).