From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: bug#34125: Installation script needs to be secured with a gpg signature Date: Tue, 22 Jan 2019 08:18:09 +0100 Message-ID: <87womxcg9a.fsf@elephly.net> References: <20190118162301.52eaeb12@alma-ubu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:60264) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1glqKt-0000Nc-HW for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1glqKs-0003hf-Jt for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:41431) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1glqKs-0003h5-7o for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1glqKr-0002PJ-Re for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <20190118162301.52eaeb12@alma-ubu> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Cc: 34125@debbugs.gnu.org Hi Bj=C3=B6rn, > I was looking at the installation video from Laura (not yet public) and > wondered about that: > > We just download the installation script: > > $ wget https://.../guix-install.sh > > Then we go on directly executing that script. > > Shouldn't that be save-garded by a PGP-signature too? I don=E2=80=99t know. > Because if it is not, the user could be tricked into a script that > downloads a "bad" Guix installation tarball. To avoid having the user tricked we use HTTPS. At least the users will know that this file comes from the official project website. A user who is tricked into downloading a script from a malicious site could just as well download a matching signature from somewhere else, so the script body itself should be signed. We can=E2=80=99t sign the whole f= ile because the first line must be the shebang =E2=80=94 unless we forgo the sh= ebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to execute it= with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-sign=E2=80=9D adds a b= lock of text before and after the file, which would be a syntax error in a shell script. We are probably stuck with having a separate signature file. I don=E2=80= =99t know if it=E2=80=99s worth doing when HTTPS is used to fetch the script fro= m an authoritative source. > That's what we are always > criticising about others wget-scripts that install whatever to the user. The criticism is aimed at =E2=80=9Ccurl | sudo bash=E2=80=9D instructions t= hat execute scripts off the Internet without prior inspection as root. -- Ricardo