From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Authenticating binary substitutes
Date: Wed, 22 May 2013 17:12:20 +0200
Message-ID: <8761ybcaln.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([208.118.235.92]:55950)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1UfAiW-0003xk-3d
	for bug-guix@gnu.org; Wed, 22 May 2013 11:12:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1UfAiR-0007XW-Bd
	for bug-guix@gnu.org; Wed, 22 May 2013 11:12:40 -0400
Received: from [2a01:e0b:1:123:ca0a:a9ff:fe03:271e] (port=43140
	helo=xanadu.aquilenet.fr) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1UfAiR-0007VZ-5g
	for bug-guix@gnu.org; Wed, 22 May 2013 11:12:35 -0400
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: nix-dev <nix-dev@cs.uu.nl>
Cc: bug-guix@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

Currently the =E2=80=9Cbinary cache=E2=80=9D substituter relies on DNS to a=
uthenticate
downloaded binaries: anything coming from, say, hydra.nixos.org is
considered authentic, because hydra.nixos.org is listed in the
=E2=80=98trusted-binary-cache=E2=80=99 list.

This is obviously subject to person-in-the-middle attacks: one could
connect over Wifi to somebody else=E2=80=99s network, which happens to redi=
rect
hydra.nixos.org to evil.example.com, and end up downloading evil binaries.

I was thinking of a simple extension to solve that:

  1a. The /nix-cache-info file would contain an (optional)
     =E2=80=98OpenPGPFingerprint=E2=80=99 field, to announce the fingerprin=
t of the
     OpenPGP key used to sign Nars.

  1b. In addition to, or alternatively, a /nix-signing-key file would be
      served, containing the OpenPGP key used to sign Nars.

  2.  In addition to serving, say,
      /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1, the server would
      also serve /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1.sig, an
      OpenPGP binary signature of the uncompressed Nar.

WDYT?  Could this be implemented in Hydra?

Ludo=E2=80=99.

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlGc4FgACgkQd92V4upS7PSPZwCcCjZ5V2eexnDpbceCja+3nCmx
FQ0An1omeWi0Y4fb3zRfxo8VPO/oSlnQ
=oepx
-----END PGP SIGNATURE-----
--=-=-=--