unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Public key pinning in guix?
@ 2022-01-07 21:24 Maxime Devos
  2022-01-08 16:37 ` Philip McGrath
  0 siblings, 1 reply; 5+ messages in thread
From: Maxime Devos @ 2022-01-07 21:24 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]

Hi guix-devel,

I coded up the following recently:

[start snip]
;; TODO does this check all the right fields?
(define %pinned-public-keys
  '(("content.minetest.net" . #u8(188 216 200 89 188 149 240 145 93 189
114 207 239 50 157 141 57 196 11 102))
    ("ftp.gnu.org" . #u8(100 133 126 118 117 115 141 72 253 200 108 158
64 47 85 199 90 0 253 179 181))
    ("www.stackage.org" . #u8(101 7 34 114 166 42 66 55 116 60 42 253
85 30 134 236 217 108 67 119))
    ("hackage.haskell.org" . #u8(80 123 226 229 92 27 203 99 130 198 72
113 250 28 247 58 254 19 104 79))
    ("fastapi.metacpan.org" . #u8(86 7 157 232 133 127 13 58 144 86 37
162 91 239 203 138 150 84 56 67))
    ("cran.r-project.org" . #u8(60 80 123 29 14 43 131 116 105 126 126
58 154 231 6 150 216 158 70 213))
    ("web.cvs.savannah.gnu.org" . #u8(66 134 131 20 232 136 162 102 201
229 202 93 21 161 26 192 176 3 61 38))))

(use-modules (gnutls) (rnrs bytevectors))
(define old (@@ (gnutls) x509-certificate-matches-hostname?))
(set! (@@ (gnutls) x509-certificate-matches-hostname?)
  (lambda (certificate domain)
    (and (old certificate domain)
         ;;  If the domain name is known to Guix, verify the public key
         ;; -- the CA could be corrupt or compromised!
         (let ((pinned-key (assoc-ref %pinned-public-keys domain)))
           (or (pk 'd domain pinned-key (not pinned-key))
               (bytevector=? pinned-key (x509-certificate-key-id
certificate)))))))
[end snip]

I put it in (guix import minetest); it should probably be integrated
into (guix build download) instead.

The purpose is to resist a compromise of the CA system. More
concretely, if you now do "guix refresh -u minetest-moreores"
then a MITM that compromised a CA cannot secretly replace
minetest-moreores with a mod that mines bitcoin for the MITM,
or something.

Possibly also useful for "guix download", "guix import", "guix lint",
"guix build --with-latest=...".

A downside is that whenever content.minetest.net changes public keys,
the pinned public key in Guix needs to be updated. How often does this
happen? I wouldn't now. This could be partially automated with
a "./pre-inst-env guix update-the-pinned-keys" script, and there could
be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
hatch.

WDYT, worth the trouble or not?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-01-09 15:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-07 21:24 Public key pinning in guix? Maxime Devos
2022-01-08 16:37 ` Philip McGrath
2022-01-09 11:54   ` Maxime Devos
2022-01-09 13:57     ` Philip McGrath
2022-01-09 15:29       ` Maxime Devos

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).