From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id eLOgBvcb9WJgTAEAbAwnHQ (envelope-from ) for ; Thu, 11 Aug 2022 17:10:47 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id ALS4Bvcb9WKYyAAA9RJhRA (envelope-from ) for ; Thu, 11 Aug 2022 17:10:47 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C0F3E10D8 for ; Thu, 11 Aug 2022 17:10:46 +0200 (CEST) Received: from localhost ([::1]:54122 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oM9pd-0007JE-TC for larch@yhetil.org; Thu, 11 Aug 2022 11:10:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39410) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oM9n0-0002Xg-4c for bug-guix@gnu.org; Thu, 11 Aug 2022 11:08:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36792) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oM9mz-0004a0-Qc for bug-guix@gnu.org; Thu, 11 Aug 2022 11:08:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oM9mz-0000nI-Kl for bug-guix@gnu.org; Thu, 11 Aug 2022 11:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#57091: Git authentication reports subkey fingerprints Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 11 Aug 2022 15:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57091 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: me@tobias.gr, 57091@debbugs.gnu.org, ludo@gnu.org X-Debbugs-Original-To: Tobias Geerinckx-Rice , bug-guix@gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-Cc: 57091@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16602304412999 (code B ref -1); Thu, 11 Aug 2022 15:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Aug 2022 15:07:21 +0000 Received: from localhost ([127.0.0.1]:54774 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oM9mK-0000mI-UO for submit@debbugs.gnu.org; Thu, 11 Aug 2022 11:07:21 -0400 Received: from lists.gnu.org ([209.51.188.17]:33390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oM9mJ-0000m4-AP for submit@debbugs.gnu.org; Thu, 11 Aug 2022 11:07:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39144) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oM9mJ-0001UJ-2g for bug-guix@gnu.org; Thu, 11 Aug 2022 11:07:19 -0400 Received: from xavier.telenet-ops.be ([2a02:1800:120:4::f00:14]:57206) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oM9mH-0004Uy-1u for bug-guix@gnu.org; Thu, 11 Aug 2022 11:07:18 -0400 Received: from [IPV6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16] ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16]) by xavier.telenet-ops.be with bizsmtp id 6F7C2800320ykKC01F7CSf; Thu, 11 Aug 2022 17:07:12 +0200 Message-ID: Date: Thu, 11 Aug 2022 17:07:12 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: en-US References: <87iln12kjc.fsf@inria.fr> <78149f79-5620-fae9-1ba3-4ed25c2154c5@telenet.be> <878rnvxelk.fsf@gnu.org> <5330DDA4-F1AD-4F99-B6A5-5CDA2D975983@tobias.gr> From: Maxime Devos In-Reply-To: <5330DDA4-F1AD-4F99-B6A5-5CDA2D975983@tobias.gr> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------CpHmFRvZRlyLz7saISDu5u8M" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1660230432; bh=qysKMSmBKZUJyw/PrnUIigBxGYqLuMGpHPxL/8x2EeQ=; h=Date:To:Cc:References:From:Subject:In-Reply-To; b=hqLf9OQqeRVSTPryrG8+HnsVHijbmbCilesWVfDFra65pBu2x+8MJhzveTeb5ZqLQ 4Bs1XUAzNeu8CJYxhWBiW7dOOjUgyB9WxtAtWDRjCU5DZ6eB7Bv7Swvb0JJMsZnuEz oyrBROQXQwS9ZkNx/LIafq/gkr6iIJsTXTg+Gvbv8yQEd5GjPeGZF2EjeehYbqVEOe CrrtBd/0/79LDdtzvHe0lcWxrrtZdATNTMaqkPqgDmfUAPD7CCO3wksO59Ny6f19eq WhisBqLpJiY11q7YJMJDYJ740vbZHupEApqs+8mjaWDuKQjjDE6+uOCY4AsjhwZYl+ r7sZxMlcSyjRw== Received-SPF: pass client-ip=2a02:1800:120:4::f00:14; envelope-from=maximedevos@telenet.be; helo=xavier.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660230646; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=VUlQquOBAOO6of8wz25NL1JQa2hnWE6IMnkhAHqzexA=; b=V+I/f82BQqGdSzyUmWTmsjjPKcHbppmEH95yqzta0+fSGelkRXPzTQ7ArBn29yPPMHL2TQ 4BkyBfHvuBNTByp7f0wyjwBGKURAJF0y9nt9SZbNBoxSPyosS/6hj/RvE4vB5TLtTG5fAI 0fRF76ARan/p3Q5jpWg/s9608NBD+EQrlt/Tv4s2+pmzRyXPiUc3sxEVKdBL/khVb+HAs5 dk2nFgVOa1HsbEnZ80jILbqwej/2xdbUiKo9VDmh2gw6Asnr87gN6LGSJwfYf5A1+JFZq/ BNJFetnKcLmyw0Tih8ufOJYZCoJEGS7LnWUVzdD/+vFVYTOFfyjx7gLwDdEy0Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660230646; a=rsa-sha256; cv=none; b=uIE7dbRGv3ufygEc4bC4fxP5VW07/b8RmNqUppboAl9TpigP1/P4WqhqS80V2R4g1zNlfu odNorUqra8oa1Z0WSFvNUwwtlRYw4nI9e7ErTA+NrwVghHZ/BIfzGjyQTERToVfhtCft4r 88bVZEqdmjrjdDFe+Jy4vpyoydxk/TgWydAj0srEY5458JlscWipLcwcqxv/ymVtbmbAM8 jGosjGF2k80WeKFWCLxPEKuPD9dwYU27jBOhwD6w9ayiXlye+Q4g5C4U6qcXwLxzHOMokW R5bWOOZWLvHkqZRX8uEEqvcpLv9EFGNhpEjuOHnDVUBpo8LluVncM+lYCcUFgg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=telenet.be header.s=r22 header.b=hqLf9OQq; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 4.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=telenet.be header.s=r22 header.b=hqLf9OQq; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C0F3E10D8 X-Spam-Score: 4.92 X-Migadu-Scanner: scn1.migadu.com X-TUID: 3WBrktToHIly This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------CpHmFRvZRlyLz7saISDu5u8M Content-Type: multipart/mixed; boundary="------------H9QCEdgq1nXLAnhE0hzO04Bi"; protected-headers="v1" From: Maxime Devos To: Tobias Geerinckx-Rice , bug-guix@gnu.org, =?UTF-8?Q?Ludovic_Court=c3=a8s?= Cc: 57091@debbugs.gnu.org Message-ID: Subject: Re: bug#57091: Git authentication reports subkey fingerprints References: <87iln12kjc.fsf@inria.fr> <78149f79-5620-fae9-1ba3-4ed25c2154c5@telenet.be> <878rnvxelk.fsf@gnu.org> <5330DDA4-F1AD-4F99-B6A5-5CDA2D975983@tobias.gr> In-Reply-To: <5330DDA4-F1AD-4F99-B6A5-5CDA2D975983@tobias.gr> --------------H9QCEdgq1nXLAnhE0hzO04Bi Content-Type: multipart/mixed; boundary="------------eusKzlwYXwxK04jdpELXSjBz" --------------eusKzlwYXwxK04jdpELXSjBz Content-Type: multipart/alternative; boundary="------------j6fI4fUJFwR4oNPkFQZUvAvx" --------------j6fI4fUJFwR4oNPkFQZUvAvx Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 DQpPbiAxMS0wOC0yMDIyIDEzOjE3LCBUb2JpYXMgR2VlcmluY2t4LVJpY2Ugd3JvdGU6DQo+ IEFwb2xvZ2llcyBpZiBJJ20gd2lsZGx5IG9mZiB0aGUgbWFyayBoZXJlLiAgQnV0IHRoZW4g SSdkIGxpa2UgdG8gaGVhciBzb21lIHBsYXVzaWJsZSB0aHJlYXQgbW9kZWxzLiAgTWF4aW1l Pw0KDQpIZXJlJ3MgYSBwcm9ibGVtIHdpdGggYWxsb3dpbmcgc3Via2V5cywgaWYgdGhhdCdz IHdoYXQgeW91IG1lYW46DQoNCiAgKiBFeHBpcmF0aW9uIHRpbWVzIGFuZCBHUEctbGV2ZWwg cmV2b2NhdGlvbiBtdXN0IGJlIGlnbm9yZWQgKGZvcg0KICAgIHRpbWUtdHJhdmVsLCBhbmQg cHVsbGluZyBmcm9tIGFuIG9sZCBHdWl4KSwgc2ltaWxhcmx5IHRvIHdoeSBpdCBtdXN0DQog ICAgYmUgaWdub3JlZCBmb3Igd2hlbiBubyBzdWJrZXlzIGFyZSB1c2VkDQogICogU29tZW9u ZSB1c2VkIHRvIEdQRy1zdHlsZSBzdWJrZXlzIGdlbmVyYXRlcyBhIG5ldyBzdWJrZXkgdG8g cmVwbGFjZQ0KICAgIG9sZCBleHBpcmVkIHN1YmtleSBvciByZXZva2VzIG9sZCBzdWJrZXks IHdpdGhvdXQga2VlcGluZyBpbiBtaW5kDQogICAgdGhhdCBHdWl4IGRvZXNuJ3QgdGFrZSB0 aGF0IGluIGFjY291bnQuDQogICogQW4gYXR0YWNrZXIgdXNlcyBhIGNvbXByb21pc2VkLWJ1 dC1yZXZva2VkLW9yLWV4cGlyZWQgc3Via2V5IHRvDQogICAgY29tcHJvbWlzZSB0aGUgY2hh bm5lbC4NCg0KRXhwaXJhdGlvbiB0aW1lcyBtaWdodCBiZSBzb2x2YWJsZSBieSB0YWtpbmcg dGhlIGNvbW1pdCB0aW1lIG9mIHRoZSANCnByZXZpb3VzIGNvbW1pdCBhcyAnY3VycmVudCB0 aW1lJyAobm90IHRoZSBjb21taXQgdGhhdCB3YXMgc2lnbmVkLCANCm90aGVyd2lzZSBhbiBh dHRhY2tlciBjb3VsZCBqdXN0IGxpZSkuIEkgZG9uJ3Qga25vdyBhIHNvbHV0aW9uIGZvciAN CkdQRy1sZXZlbCByZXZvY2F0aW9uIG9mIG9sZCBzdWJrZXlzIGJ1dCBJIGhhdmVuJ3QgbG9v a2VkIGVpdGhlci4NCg0KQW5vdGhlciBwcm9ibGVtOg0KDQogICogV2hlbiByZXBsYWNpbmcg dGhlIGtleSBpbiB0aGUgJ2tleXJpbmcnIGJyYW5jaCB3aXRoIGFuICd1cGRhdGVkJyBrZXkN CiAgICB0aGF0IGNvbnRhaW5zIHRoZSBuZXcgc3Via2V5LCB3ZSBoYXZlIHRvIGJlIGNhcmVm dWwgdG8gbmV2ZXIgcmVtb3ZlDQogICAgb2xkIHN1YmtleXMsIHRvIGF2b2lkIGJyZWFraW5n IHRpbWUgdHJhdmVsIG9yIHB1bGxpbmcgZnJvbSBvbGQgdmVyc2lvbnMuDQoNCkdyZWV0aW5n cywNCk1heGltZS4NCg0K --------------j6fI4fUJFwR4oNPkFQZUvAvx Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 11-08-2022 13:17, Tobias Geerinckx-Rice wrote:
Apologies if I'm wildly off =
the mark here.  But then I'd like to hear some plausible threat models.  =
Maxime?

Here's a problem with allowing subkeys, if that's what you mean:

  • Expiration times and GPG-level revocation must be ignored (for time-travel, and pulling from an old Guix), similarly to why it must be ignored for when no subkeys are used
  • Someone used to GPG-style subkeys generates a new subkey to replace old expired subkey or revokes old subkey, without keeping in mind that Guix doesn't take that in account.
  • An attacker uses a compromised-but-revoked-or-expired subkey to compromise the channel.

Expiration times might be solvable by taking the commit time of the previous commit as 'current time' (not the commit that was signed, otherwise an attacker could just lie). I don't know a solution for GPG-level revocation of old subkeys but I haven't looked either.

Another problem:

  • When replacing the key in the 'keyring' branch with an 'updated' key that contains the new subkey, we have to be careful to never remove old subkeys, to avoid breaking time travel or pulling from old versions.

Greetings,
Maxime.

--------------j6fI4fUJFwR4oNPkFQZUvAvx-- --------------eusKzlwYXwxK04jdpELXSjBz Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc" Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2 ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc /gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4 LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0 k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D =3DOVqp -----END PGP PUBLIC KEY BLOCK----- --------------eusKzlwYXwxK04jdpELXSjBz-- --------------H9QCEdgq1nXLAnhE0hzO04Bi-- --------------CpHmFRvZRlyLz7saISDu5u8M Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYvUbIAUDAAAAAAAKCRBJ4+4iGRcl7qcU AQC5ryGj7+QfXkUw/VbpaIUS7JergdNakK+eqQ2CVFCJjQEA5NPTthq8jVrNZdAeHWtIe3esOaIA eQex+FUpyOSStw4= =WpRI -----END PGP SIGNATURE----- --------------CpHmFRvZRlyLz7saISDu5u8M--