Howdy!

ludo@gnu.org (Ludovic Courtès) skribis:

> The modus operandi is that administrators add a libgcrypt-generated key
> pair to /etc/guix/signing-key.{pub,sec} (typically an RSA key pair).
> Exported archives are automatically signed with the secret key, and
> imported archives must carry a valid signature verified with
> signing-key.pub.
>
> I find the latter a bit limiting, as it means that all the machines in
> the build farm must have the same key pair installed.  So instead, I’m
> inclined to add an ‘authorized key’ list, as with SSH.

I spent a bit of holiday time on this, and just committed the result.

So now the daemon has a SPKI-style access-control list (ACL), which
lists the public keys whose imports are allowed.  The ACL is stored in
“canonical s-expression” format, via Libgcrypt, as envisioned by SPKI
[0] and as implemented by lsh [1].

Namely, /etc/guix/acl looks like this:

  (acl 
   (entry 
    (public-key 
     (rsa 
      (n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#)
      (e #010001#)))
    (tag (guix import))))

In addition to the actual signature, archive signatures embed the signed
hash and the signer’s public key, like this:

  (signature 
   (data 
    (flags pkcs1)
    (hash sha256 #2749F0EA9F26C6C7BE746A9CFF8FA4C2F2A02B000070DBA78429E9A11F87C6EB#))
   (sig-val 
    (rsa 
     (s #477143FFA2DF163036599985425A331CAF4FF7FA22083A64BA08BEA0DB3BA95472A56B1EAF5E122716FACC81E8D72FEFF0985DDA162EB22FE5579B27D333B774C89425151198DA7A094E264F18755EEA1F278592555C531ADC9DE86C7BFFB4869C70150DD93D07BC032E830F9314CD7EE204DE3ED74DCBB96F63C7D0CDCCD72A#)))
   (public-key 
    (rsa 
     (n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#)
     (e #010001#))))

The good news is that, with a bit of work in (guix nar),
‘substitute-binary’ will be able to use that mechanism too.  So we can
change Hydra to always sign its archives (simple), and
‘substitute-binary’ to always check signatures and check the signer
against the ACL.  The users can choose whether or not to add
hydra.gnu.org’s public key to their ACL.

Comments welcome!

Thanks,
Ludo’.

[0] http://theworld.com/~cme/spki.txt
[1] http://www.lysator.liu.se/~nisse/lsh/lsh.html#Hostauth%20options