From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: New =?utf-8?Q?=E2=80=9Cguix_refresh=E2=80=9D?= command Date: Wed, 08 May 2013 00:21:20 +0200 Message-ID: <87d2t24ejj.fsf@gnu.org> References: <87ehdzlg89.fsf@gnu.org> <87d2t2ehnp.fsf@karetnikov.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([208.118.235.92]:60840) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UZqGL-0001jh-IP for bug-guix@gnu.org; Tue, 07 May 2013 18:21:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UZqGJ-0002Dv-7c for bug-guix@gnu.org; Tue, 07 May 2013 18:21:33 -0400 Received: from [2a01:e0b:1:123:ca0a:a9ff:fe03:271e] (port=42716 helo=xanadu.aquilenet.fr) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UZqGI-0002B2-Tx for bug-guix@gnu.org; Tue, 07 May 2013 18:21:31 -0400 In-Reply-To: <87d2t2ehnp.fsf@karetnikov.org> (Nikita Karetnikov's message of "Tue, 07 May 2013 23:03:54 +0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Nikita Karetnikov Cc: bug-guix@gnu.org Nikita Karetnikov skribis: >> When downloading new tarballs, it also retrieves signatures and checks >> them with GPG, via the new (guix gnupg) module. > > Could you point me to this part of the source code? I fail to find it. See =E2=80=98download-tarball=E2=80=99 in gnu-maintenance.scm. >> If the public key is missing, it attempts to get it from keys.gnupg.net, >> and tries again; in that case, the key is added to your keyring. > > I haven't tried the tool yet, but I'm suspicious. Ah, I=E2=80=99m glad somebody chimes in. ;-) > First, what if the mirror is malicious but the key is there? You'll > fetch a malicious tarball and a malicious key. Objects aren=E2=80=99t malicious. Perhaps you=E2=80=99re talking about sit= uations where a mirror provides a tarball along with a valid signature, but said signature is made with a random key, and the tarball is actually not genuine, right? First, note that =E2=80=98download-tarball=E2=80=99 fetches from ftp.gnu.or= g directly (or ftp.gnupg.org, etc.), not from mirrors. Second, this is the same model as used by the OpenSSH client. When the client is first introduced to a host, it presents you its key fingerprint, you type =E2=80=98y=E2=80=99, and that key gets added to your = known hosts file. From there on, person-in-the-middle attacks are trivially detected as a key mismatch. With this approach, introduction is the weak link. It is mitigated by the fact that, for instance, I=E2=80=99ve already imported and signed keys = of several GNU maintainers, and by common sense (manually checking the signatures on a key, the tarball contents, etc.) Also, keep in mind that =E2=80=98guix refresh=E2=80=99 is primarily a maintainer=E2=80=99s too= l. It=E2=80=99s exactly what I would do manually. What about you? > Is it possible to use three mirrors to check keys and tarballs? Check against what? What do you want to address? > I also think that one must always check keys manually (using similar > pages [1]). Maybe we should manually add fingerprints to a > licenses.scm-like file and use it along with keys.gnupg.net. It sounds > tedious, but it'll be necessary only when you package something for the > first time. What do you think? There=E2=80=99s the ftp.gnu.org/gnu/gnu-keyring.gpg file, which contains al= l the keys ever allowed to sign GNU uploads. But that file is itself currently unsigned. Ideally (I think) that file would be signed, and the Guix repo would contain the master key used to sign gnu-keyring.gpg. From there, it could fetch that keyring and authenticate it anytime, which in turn could be used to authenticate GNU source tarballs, as needed for the on-line auto-updater (see .) This is similar to Debian=E2=80=99s approach, AIUI. I=E2=80=99ve made this suggestion to one of the FSF sysadmins, but it seems= to need further discussion, and probably input from crypto-savvy people. > It also bugs me that there are a lot of packages which are not signed at > all. I guess I'll start to ask maintainers to add signatures (at least > for the future versions). I hope you'll do the same. All the packages on gnu{,pg}.org are signed. I think very few GNU packages are unsigned. For non-GNU packages, the situation is not as good, and I agree we must spread the word, but that won=E2=80=99t change overnight. > Second, is there a way not to pollute my keyring with such keys or at > least mark them somehow (for example, as not trusted)? They are marked as such by default. Problem is, I want to use my default keyring because it already contains many keys that I signed. So I don=E2=80=99t see how to accommodate both ne= eds. Thanks for sharing your thoughts and concerns! Ludo=E2=80=99.