From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Signed archive export/import
Date: Sun, 29 Dec 2013 16:11:09 +0100
Message-ID: <8738lbpu9e.fsf@gnu.org>
References: <87bo0bqy7k.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44383)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VxI1Q-00046A-2I
	for guix-devel@gnu.org; Sun, 29 Dec 2013 10:11:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VxI1L-0005L4-8K
	for guix-devel@gnu.org; Sun, 29 Dec 2013 10:11:20 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:23465)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1VxI1L-0005Kz-16
	for guix-devel@gnu.org; Sun, 29 Dec 2013 10:11:15 -0500
In-Reply-To: <87bo0bqy7k.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Fri, 20 Dec 2013 17:33:19 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Howdy!

ludo@gnu.org (Ludovic Court=C3=A8s) skribis:

> The modus operandi is that administrators add a libgcrypt-generated key
> pair to /etc/guix/signing-key.{pub,sec} (typically an RSA key pair).
> Exported archives are automatically signed with the secret key, and
> imported archives must carry a valid signature verified with
> signing-key.pub.
>
> I find the latter a bit limiting, as it means that all the machines in
> the build farm must have the same key pair installed.  So instead, I=E2=
=80=99m
> inclined to add an =E2=80=98authorized key=E2=80=99 list, as with SSH.

I spent a bit of holiday time on this, and just committed the result.

So now the daemon has a SPKI-style access-control list (ACL), which
lists the public keys whose imports are allowed.  The ACL is stored in
=E2=80=9Ccanonical s-expression=E2=80=9D format, via Libgcrypt, as envision=
ed by SPKI
[0] and as implemented by lsh [1].

Namely, /etc/guix/acl looks like this:

  (acl=20
   (entry=20
    (public-key=20
     (rsa=20
      (n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C=
385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25=
BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B6=
06E3A974E15347963FC7B6378574936A47580DBCB45#)
      (e #010001#)))
    (tag (guix import))))

In addition to the actual signature, archive signatures embed the signed
hash and the signer=E2=80=99s public key, like this:

  (signature=20
   (data=20
    (flags pkcs1)
    (hash sha256 #2749F0EA9F26C6C7BE746A9CFF8FA4C2F2A02B000070DBA78429E9A11=
F87C6EB#))
   (sig-val=20
    (rsa=20
     (s #477143FFA2DF163036599985425A331CAF4FF7FA22083A64BA08BEA0DB3BA95472=
A56B1EAF5E122716FACC81E8D72FEFF0985DDA162EB22FE5579B27D333B774C89425151198D=
A7A094E264F18755EEA1F278592555C531ADC9DE86C7BFFB4869C70150DD93D07BC032E830F=
9314CD7EE204DE3ED74DCBB96F63C7D0CDCCD72A#)))
   (public-key=20
    (rsa=20
     (n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C3=
85F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25B=
BA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B60=
6E3A974E15347963FC7B6378574936A47580DBCB45#)
     (e #010001#))))

The good news is that, with a bit of work in (guix nar),
=E2=80=98substitute-binary=E2=80=99 will be able to use that mechanism too.=
  So we can
change Hydra to always sign its archives (simple), and
=E2=80=98substitute-binary=E2=80=99 to always check signatures and check th=
e signer
against the ACL.  The users can choose whether or not to add
hydra.gnu.org=E2=80=99s public key to their ACL.

Comments welcome!

Thanks,
Ludo=E2=80=99.

[0] http://theworld.com/~cme/spki.txt
[1] http://www.lysator.liu.se/~nisse/lsh/lsh.html#Hostauth%20options

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlLAO5EACgkQd92V4upS7PT5yQCgn/E41L+yPdwL2wElBddlZc07
2vMAoJWi0vYpEtdqK3vieR61SP4SMixg
=j7MO
-----END PGP SIGNATURE-----
--=-=-=--