From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YFbwMYFErF5jUwAA0tVLHw (envelope-from ) for ; Fri, 01 May 2020 15:47:13 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id GAJoLYtErF48BAAAbx9fmQ (envelope-from ) for ; Fri, 01 May 2020 15:47:23 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C0E93943153 for ; Fri, 1 May 2020 15:47:21 +0000 (UTC) Received: from localhost ([::1]:38352 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUXsm-0003NA-QS for larch@yhetil.org; Fri, 01 May 2020 11:47:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUXsV-0003K8-Bu for bug-guix@gnu.org; Fri, 01 May 2020 11:47:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUXsU-0007r7-T7 for bug-guix@gnu.org; Fri, 01 May 2020 11:47:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38926) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jUXsU-0007qH-Fi for bug-guix@gnu.org; Fri, 01 May 2020 11:47:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jUXsU-00036s-D6; Fri, 01 May 2020 11:47:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: Authenticating a Git checkout Resent-From: Justus Winter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 01 May 2020 15:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Ricardo Wurmus Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.158834800111927 (code B ref 22883); Fri, 01 May 2020 15:47:02 +0000 Received: (at 22883) by debbugs.gnu.org; 1 May 2020 15:46:41 +0000 Received: from localhost ([127.0.0.1]:50472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUXs9-00036J-LJ for submit@debbugs.gnu.org; Fri, 01 May 2020 11:46:41 -0400 Received: from avior.uberspace.de ([185.26.156.32]:51754 ident=8SE6CMlvdKn) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUXs7-000368-Km for 22883@debbugs.gnu.org; Fri, 01 May 2020 11:46:40 -0400 Received: (qmail 31378 invoked from network); 1 May 2020 15:46:37 -0000 Received: from localhost (HELO europa) (127.0.0.1) by avior.uberspace.de with SMTP; 1 May 2020 15:46:37 -0000 Received: from localhost ([127.0.0.1]) by europa with esmtp (Exim 4.92) (envelope-from ) id 1jUXs2-0006dt-Gl; Fri, 01 May 2020 17:46:34 +0200 From: Justus Winter In-Reply-To: <87bln9oupo.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net> <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org> Date: Fri, 01 May 2020 17:46:34 +0200 Message-ID: <87sggjpsit.fsf@europa.jade-hamburg.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Received-From: 209.51.188.43 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 22883@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: -3.11 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [-3.11 / 13.00]; GENERIC_REPUTATION(0.00)[-0.49533989573974]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.16), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; MAILLIST(-0.20)[mailman]; SIGNED_PGP(-2.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[justus@sequoia-pgp.org,bug-guix-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; URIBL_BLOCKED(0.00)[gnu.org:email]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[sequoia-pgp.org]; HAS_LIST_UNSUB(-0.01)[]; DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: BuCILMoljlYR --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > At this stage, =E2=80=98make authenticate=E2=80=99 uses the pure-Scheme i= mplementation > (based on G=C3=B6ran Weinholt=E2=80=99s code, heavily modified). It can = authenticate > 14K+ commits in ~20s instead of 4m20s on my laptop, which is really > nice. Neat :) > Signature verification in (guix openpgp) does just that: signature > verification. It does not validate signature and key metadata, in > particular expiration date. I guess it should at least error out when a > signature creation time is newer than its key expiration time. Indeed. I skimmed both the original and the adapted code, and it notably does no attempt to canonicalize the certificates in the keyring (i.e. checking binding signatures, lifetimes, revocations, (sub)key flags...). While that is a bit dangerous, it is okay for a point solution for Guix, provided that this is properly documented and communicated. One can forgo canonicalization if one assumes that the keyring is curated, and one has a good-list of (sub)keys fingerprints that are allowed to create signatures. Reading git-authentiate.scm that does seem to be the case. (I bet that certificate canonicalization is the major reason why calling out to gpgv is so slow: it does that every time, and it involves signature verification, which is slow (yes, I'm looking at you, RSA).) > It should also reject SHA1 signatures, at least optionally (I haven=E2=80= =99t > checked whether our Git history has any of these). I believe it should. For reference, we reject SHA1 signatures for signatures created since 2013. > Next steps: > > =E2=80=A2 Clean up the (guix openpgp) API a bit, for instance by using = proper > SRFI-35 error conditions. Perhaps handle v5 packets too. Don't bother with v5 packets for now. The RFC is nowhere near completion, and even if it is one day, it will be quite some time until you see these packets in the wild. All the best, Justus --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEJWpOVeSnLZetJGjniNx+MzhfeR0FAl6sRFoACgkQiNx+Mzhf eR2HBgf+P+IvnTF6VbzlP2ZLtq9ZPTUMiXi2cU5qY7Zi4NCBBIqco+Z1j4fco9XT NKakcdf+vyU/UaTpI3x1dUFe/Zz9pvA/xPbsX8jrykATZAWVRzL6eDgcKriJwqfb bODCs8IPKs0ftfqP+fkKoCHbKMEj0Ulg0CWv272AZIKXtqB54Tv7qYAqLf4sqQA/ 6+b9LhAd26OmeD/O+mzEJUJD61ZP+7lO3Y86Cud46v8sUis6lG2iCAjTfLhbfsFM RWC3IIt30m723srJ3WnhCoZM9EDNAkicHeXSkTkfswGFryZpftB5iKFrlAcEH6mi GLcfc3bOzSMWBnvLc1Fp+6BjN7rA8Q== =g/17 -----END PGP SIGNATURE----- --=-=-=--