* Signed archive export/import
@ 2013-12-20 16:33 Ludovic Courtès
2013-12-20 17:04 ` Andreas Enge
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Ludovic Courtès @ 2013-12-20 16:33 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2016 bytes --]
Hi!
With commit 526382f, the daemon supports exporting signed “Nix archives”
of a set of store files, and importing signed archives (using public key
crypto.) This is useful, for instance, to transfer files from one
machine to another, as is the case in a typical Hydra build farm.
The daemon is equipped to call out to the ‘openssl’ program for signing
and signature verification, but the goal here was to do away with
OpenSSL, since we have a couple of great alternatives in GNU. ;-)
(In practice this means that our crypto material uses a different format
that the one used in Nix.)
So the (guix pk-crypto) module provides bindings to the public key API
of GNU Libgcrypt, and the ‘guix authenticate’ command is a drop-in
replacement for the ‘openssl’ program that the daemon invokes (see
‘local-store.cc’.)
The modus operandi is that administrators add a libgcrypt-generated key
pair to /etc/guix/signing-key.{pub,sec} (typically an RSA key pair).
Exported archives are automatically signed with the secret key, and
imported archives must carry a valid signature verified with
signing-key.pub.
I find the latter a bit limiting, as it means that all the machines in
the build farm must have the same key pair installed. So instead, I’m
inclined to add an ‘authorized key’ list, as with SSH.
From there, we need a few more things:
- a ‘guix archive’ command to easily import/export archives, and to
generate a key pair;
- a ‘guix copy’ command to copy a set of store files (and their
dependencies) between two machines (similar to ‘nix-copy-closure’);
- a daemon “build hook” to automatically off-load builds to remote
machines (see <http://nixos.org/nix/manual/#chap-distributed-builds>
for an overview.)
The practical goal is to have an additional Intel build machine, and
ideally a mips64 build machine hooked up into Hydra by the end of
January.
As usual, feedback welcome!
Ludo’.
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 16:33 Signed archive export/import Ludovic Courtès
@ 2013-12-20 17:04 ` Andreas Enge
2013-12-20 17:54 ` Ludovic Courtès
2013-12-22 0:14 ` Ludovic Courtès
2013-12-29 15:11 ` Ludovic Courtès
2 siblings, 1 reply; 9+ messages in thread
From: Andreas Enge @ 2013-12-20 17:04 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Hello!
The check of the crypto part fails with
FAIL: tests/pk-crypto
=====================
%%%% Starting test pk-crypto (Writing full log to "pk-crypto.log")
FAIL string->gcry-sexp->string
# of expected passes 6
# of unexpected failures 1
using an older libgcrypt 1.5.3 from Guix; is version 1.6 required?
tests/store also fails, but this might be a consequence.
Andreas
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 17:04 ` Andreas Enge
@ 2013-12-20 17:54 ` Ludovic Courtès
2013-12-20 18:13 ` Andreas Enge
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2013-12-20 17:54 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
Andreas Enge <andreas@enge.fr> skribis:
> FAIL: tests/pk-crypto
> =====================
> %%%% Starting test pk-crypto (Writing full log to "pk-crypto.log")
> FAIL string->gcry-sexp->string
> # of expected passes 6
> # of unexpected failures 1
>
> using an older libgcrypt 1.5.3 from Guix; is version 1.6 required?
Thanks for the quick feedback! I tested with 1.6 but it should work
with 1.5.
Could you post $top_builddir/{pk-cryto,store}.log ?
TIA,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 17:54 ` Ludovic Courtès
@ 2013-12-20 18:13 ` Andreas Enge
2013-12-20 23:13 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Andreas Enge @ 2013-12-20 18:13 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 145 bytes --]
On Fri, Dec 20, 2013 at 06:54:50PM +0100, Ludovic Courtès wrote:
> Could you post $top_builddir/{pk-cryto,store}.log ?
Here they are!
Andreas
[-- Attachment #2: pk-crypto.log --]
[-- Type: text/plain, Size: 1290 bytes --]
%%%% Starting test pk-crypto
Group begin: pk-crypto
Test begin:
test-name: "string->gcry-sexp->string"
Test end:
result-kind: fail
actual-value: ("(foo bar)" "\"Àÿî\"" "(genkey \n (rsa \n (nbits \"1024\")\n )\n )")
expected-value: ("(foo bar)" "#C0FFEE#" "(genkey \n (rsa \n (nbits \"1024\")\n )\n )")
Test begin:
test-name: "find-sexp-token"
Test end:
result-kind: pass
actual-value: ("(foo bar)" "(baz \"123\")" #f)
expected-value: ("(foo bar)" "(baz \"123\")" #f)
Test begin:
test-name: "gcry-sexp-car + cdr"
Test end:
result-kind: pass
actual-value: ("(b \n (c xyz)\n )")
expected-value: ("(b \n (c xyz)\n )")
Test begin:
test-name: "gcry-sexp-nth"
Test end:
result-kind: pass
actual-value: (#f "(b pqr)" "(c \"456\")" "(d xyz)" #f #f)
expected-value: (#f "(b pqr)" "(c \"456\")" "(d xyz)" #f #f)
Test begin:
test-name: "gcry-sexp-nth-data"
Test end:
result-kind: pass
actual-value: ("Name" "Otto" "Meier" #f #f #f)
expected-value: ("Name" "Otto" "Meier" #f #f #f)
Test begin:
test-name: "bytevector->hash-data->bytevector"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "sign + verify"
Test end:
result-kind: pass
actual-value: #t
Group end: pk-crypto
# of expected passes 6
# of unexpected failures 1
[-- Attachment #3: store.log --]
[-- Type: text/plain, Size: 8745 bytes --]
%%%% Starting test store
Group begin: store
Test begin:
test-name: "store-path-hash-part"
Test end:
result-kind: pass
actual-value: "283gqy39v3g9dxjy26rynl0zls82fmcg"
expected-value: "283gqy39v3g9dxjy26rynl0zls82fmcg"
Test begin:
test-name: "store-path-hash-part #f"
Test end:
result-kind: pass
actual-value: #f
expected-value: #f
Test begin:
test-name: "store-path-package-name"
Test end:
result-kind: pass
actual-value: "guile-2.0.7"
expected-value: "guile-2.0.7"
Test begin:
test-name: "store-path-package-name #f"
Test end:
result-kind: pass
actual-value: #f
expected-value: #f
Test begin:
test-name: "direct-store-path?"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "dead-paths"
Test end:
result-kind: pass
actual-value: ("/home/privat/Programme/guix/test-tmp/store/xz8hp3b3s5bmvq5siv07hqcnr145k6hh-random-text" "/home/privat/Programme/guix/test-tmp/store/y00jgcrcq7q1pw72z2cnln1m216y0csg-the-thing" "/home/privat/Programme/guix/test-tmp/store/y1wqsha0dj0gjiwzcgh2w64y1a2gs488-gawk-4.1.0.drv" "/home/privat/Programme/guix/test-tmp/store/y1wv3374hfppfjdam98631jnnaiafksy-module-import" "/home/privat/Programme/guix/test-tmp/store/y1yx10cx27bbsdq2k07nvkjz023p84az-lsh-2.1.tar.gz.drv" "/home/privat/Programme/guix/test-tmp/store/y35fjs3hdzqywa0iszjpgjjpxay5p95b-pixman-0.32.4.tar.gz.drv" "/home/privat/Programme/guix/test-tmp/store/y38f0g6vj680k3zbm6n91aadg97akxdq-drv-to-remap.drv" "/home/privat/Programme/guix/test-tmp/store/y3in4m36hvsvgycakl1fk4khdddmmpak-binutils-2.23.2-guile-builder" "/home/privat/Programme/guix/test-tmp/store/y7bavvsccl2s1jx3l087nyk181zxf80x-glibc-2.18.tar.xz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/y7k188sf4p77k3v3d73hsx470d46fxhy-expat-2.1.0.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yakz417zjhknz5m7jw8kk7w1favkjj3c-libice-1.0.8.drv" "/home/privat/Programme/guix/test-tmp/store/yf002jrfc5yl9ds4kciflrg942gx89ym-cairo-1.12.16.tar.xz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yg240ng3dbzib9yc1jj1wrivs4385fif-libspectre-0.2.7.tar.gz.drv" "/home/privat/Programme/guix/test-tmp/store/ygk0jqvzbrmpnv6ypp64crsrd55assws-glib-2.38.0.tar.xz.drv" "/home/privat/Programme/guix/test-tmp/store/ygr0nl77zc4qn4s24mcssfw6gaq4jvkw-tar-1.27.1-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yhp6mj4bk6h771bxm9wh55nvgf82dm4a-libXpm-3.5.10.tar.bz2-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yi1f2r313liqr8kdphpsp403hr63wrln-gcc-cross-mips64el-linux-gnu-4.8.2.drv" "/home/privat/Programme/guix/test-tmp/store/yiqradr753aw77w2nl89i42va02iavvj-profile-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yjqma7kv1f6nz5fvj6c13cv4csc5vrv0-final.drv" "/home/privat/Programme/guix/test-tmp/store/yl1dl8xfjfzsip7f79kcrhalr0zfj2iq-libffi-3.0.13-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yr9msqacp3ymba13yhsjdd7ldjpqqy2h-flex-2.5.37.tar.xz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yriik2szp7sisr5gjhjglwh3r1bgxgzz-multiple.drv" "/home/privat/Programme/guix/test-tmp/store/yscj1xvzvdar2ssk7s08zhp45gb33m91-gdk-pixbuf-2.28.2.drv" "/home/privat/Programme/guix/test-tmp/store/yvkqyg77yp6m6rqn0fc2c3sf6kizqic3-attr-2.4.46-guile-builder" "/home/privat/Programme/guix/test-tmp/store/ywbjif0129vprdny7xwbcbsbvyd0qw8p-libsigsegv-2.10.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yxirvpvmv351clvcm5ngik7bw525miig-pixman-0.32.4-guile-builder" "/home/privat/Programme/guix/test-tmp/store/yz1w8yxhwvhy60y4nvh4f9jbfzki6b1l-guile-1.8-cpp-4.5.patch" "/home/privat/Programme/guix/test-tmp/store/z16yd1mcq8g9d23smhhyv1h07fga3hj4-guile-2.0.9.tar.xz" "/home/privat/Programme/guix/test-tmp/store/z2a26gxra9bh0psr8dr00gvxwrx9w3md-readline-6.2.tar.xz.drv" "/home/privat/Programme/guix/test-tmp/store/z31a7brjmvs9yf2dip5kpvccrz26s0ai-libxdmcp-1.1.1.drv" "/home/privat/Programme/guix/test-tmp/store/z3mchck8xkj7iqx7y5qsszf93791bx70-ld-wrapper.scm" "/home/privat/Programme/guix/test-tmp/store/z5n7m3ddy8l7ai8z2k7bxb2lr68hagbi-xextproto-7.2.1.tar.bz2.drv" "/home/privat/Programme/guix/test-tmp/store/z5pf63qwxz9hxknmpr1xp0aia8887n4l-perl-5.16.1.tar.gz.drv" "/home/privat/Programme/guix/test-tmp/store/z87bvadq9kyhhix5x7spgl6fm0afl8k9-attr-2.4.46.src.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/z8wv0i84h90ajv92907s2bkjqhpfl9px-libXdmcp-1.1.1.tar.bz2-guile-builder" "/home/privat/Programme/guix/test-tmp/store/z9821jq4w8k23q26avbvl8vfza9jglna-gettext-0.18.3.1.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zbsxp4m38pcgfls815a5ahi1vnph2c8z-liboop-1.0-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zbvh9v7mg7k7ykkw7rvg5c32ws20rai0-glibc-2.18.tar.xz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zcqimz2b8jxyr5hnjl9p4hh1l7s7iy0y-make-4.0.tar.xz" "/home/privat/Programme/guix/test-tmp/store/zdabrnx82h728j47cjj43ajv75v889a1-gcc-cross-sans-libc-mips64el-linux-gnu-4.8.2-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zdf52mkwx6jq0vdj9fh1jpymi90405qv-profile.drv" "/home/privat/Programme/guix/test-tmp/store/zdg3y4nvb7zh3pwf19fd5i6k3rf40jbk-file-5.12.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zdpzf3pdhlvl540n0avijpk64fdda8i2-glib-2.38.0-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zfaml79pmqxyqjj54d5nbixr0li1zvs0-the-thing" "/home/privat/Programme/guix/test-tmp/store/zglji6naqdrbfsxp49klx5ij4n0s17a0-double-second" "/home/privat/Programme/guix/test-tmp/store/zh8vdnzhv903nil00lam91wyslv5dis0-ld-wrapper-0-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zi35qygqyhp48i5irzlkah4g1dcii7w3-binutils-bootstrap-0.drv" "/home/privat/Programme/guix/test-tmp/store/zi9mniq486b5ms34j9q453p41715ka9m-libunistring-0.9.3-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zjdd17kv1h119i9xpah3r7nih2xrk1pk-libtool-2.4.2-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zkap5p22nzyvp5kzhpjy5fc5cj73prsf-patchelf-0.6.tar.bz2.drv" "/home/privat/Programme/guix/test-tmp/store/zkv194gdpzv8zcgy898lzmwnkpc74j6f-findutils-4.4.2" "/home/privat/Programme/guix/test-tmp/store/zmhdbx5bw0vnxjxkv5b0k066lilb8sl3-random3" "/home/privat/Programme/guix/test-tmp/store/zmx10i26aq1x5a3sas4vypk6lxqia9wa-libICE-1.0.8.tar.bz2.drv" "/home/privat/Programme/guix/test-tmp/store/zq5720484fjzxjc3rz4mph7d9b8nwby7-gcc-cross-boot0-4.8.2.drv" "/home/privat/Programme/guix/test-tmp/store/zqspldk17kwa3hdi9vgpjdavr5wqs1kr-bash-4.2.tar.gz-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zr240d4gpyh3c34pccr7xr2q7nhbdl5q-util-macros-1.17.tar.bz2.drv" "/home/privat/Programme/guix/test-tmp/store/zscvh06125x6f9ma46d9zi4xcb3frhql-p-0-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zswz0iph2lbr7iqyzq42p8yn3ggj9wnr-foo.drv" "/home/privat/Programme/guix/test-tmp/store/zw1fhms8jrdvzzvlix95sz6p3i23sl6b-patch-2.7.1-guile-builder" "/home/privat/Programme/guix/test-tmp/store/zw4xq6z6ycw8drprqclhz3vw9br9h762-openssl-1.0.1c.drv" "/home/privat/Programme/guix/test-tmp/store/zwc48vvyk4js3jw460cgmw4qd6v6a7rs-libxrender-0.9.7.drv" "/home/privat/Programme/guix/test-tmp/store/zwkvimvh2l6fzinpipifzgs22b01r4rs-prereq-subst.drv" "/home/privat/Programme/guix/test-tmp/store/zxv4z0lczkcrrds4zz1lsgaq519nc4z4-fail.sh" "/home/privat/Programme/guix/test-tmp/store/zxwblx4cyi2xiq4z5n0cq2bfrvvr76k1-binutils-cross-boot0-2.23.2.drv" "/home/privat/Programme/guix/test-tmp/store/zzq16r93axgfy98n5qrkjblzm2hx5d1v-bzip2-1.0.6-guile-builder")
Test begin:
test-name: "dead path can be explicitly collected"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "references"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "requisites"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "derivers"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "log-file, derivation"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "log-file, output file name"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "no substitutes"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "substitute query"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "substitute"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "substitute --fallback"
Test end:
result-kind: pass
actual-value: #t
Test begin:
test-name: "export/import several paths"
Test end:
result-kind: fail
actual-value: #f
Test begin:
test-name: "import corrupt path"
Test end:
result-kind: fail
actual-value: #f
Group end: store
# of expected passes 16
# of unexpected failures 2
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 18:13 ` Andreas Enge
@ 2013-12-20 23:13 ` Ludovic Courtès
0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2013-12-20 23:13 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
Andreas Enge <andreas@enge.fr> skribis:
> On Fri, Dec 20, 2013 at 06:54:50PM +0100, Ludovic Courtès wrote:
>> Could you post $top_builddir/{pk-cryto,store}.log ?
[...]
> Test begin:
> test-name: "string->gcry-sexp->string"
> Test end:
> result-kind: fail
> actual-value: ("(foo bar)" "\"Àÿî\"" "(genkey \n (rsa \n (nbits \"1024\")\n )\n )")
> expected-value: ("(foo bar)" "#C0FFEE#" "(genkey \n (rsa \n (nbits \"1024\")\n )\n )")
OK, I “fixed” this by commenting out the “#C0FFEE#” test.
Likewise, commit 0a66781 adjust the “gcry-sexp-nth” test to match (or
rather hide) the semantics change.
Both are harmless for our purposes, AFAICS.
[...]
> Test begin:
> test-name: "export/import several paths"
> Test end:
> result-kind: fail
> actual-value: #f
> Test begin:
> test-name: "import corrupt path"
> Test end:
> result-kind: fail
> actual-value: #f
Did you rebuild ‘guix-daemon’? If not, you should. (I can’t reproduce
it locally with Libgcrypt 1.5.3.)
If that’s not enough, could you post relevant info from
‘test-suite.log’?
TIA,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 16:33 Signed archive export/import Ludovic Courtès
2013-12-20 17:04 ` Andreas Enge
@ 2013-12-22 0:14 ` Ludovic Courtès
2013-12-29 15:11 ` Ludovic Courtès
2 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2013-12-22 0:14 UTC (permalink / raw)
To: guix-devel
ludo@gnu.org (Ludovic Courtès) skribis:
> - a ‘guix archive’ command to easily import/export archives, and to
> generate a key pair;
Done in commit 760c60d; see the doc below.
Ludo’.
3.6 Invoking ‘guix archive’
===========================
The ‘guix archive’ command allows users to "export" files from the store
into a single archive, and to later "import" them. In particular, it
allows store files to be transferred from one machine to another
machine’s store. For example, to transfer the ‘emacs’ package to a
machine connected over SSH, one would run:
guix archive --export emacs | ssh the-machine guix archive --import
Archives are stored in the “Nix archive” or “Nar” format, which is
comparable in spirit to ‘tar’. When exporting, the daemon digitally
signs the contents of the archive, and that digital signature is
appended. When importing, the daemon verifies the signature and rejects
the import in case of an invalid signature.
The main options are:
‘--export’
Export the specified store files or packages (see below.) Write
the resulting archive to the standard output.
‘--import’
Read an archive from the standard input, and import the files
listed therein into the store. Abort if the archive has an invalid
digital signature.
To export store files as an archive to the standard output, run:
guix archive --export OPTIONS SPECIFICATIONS...
SPECIFICATIONS may be either store file names or package
specifications, as for ‘guix package’ (*note Invoking guix package::).
For instance, the following command creates an archive containing the
‘gui’ output of the ‘git’ package and the main output of ‘emacs’:
guix archive --export git:gui /nix/store/...-emacs-24.3 > great.nar
If the specified packages are not built yet, ‘guix archive’
automatically builds them. The build process may be controlled with the
same options that can be passed to the ‘guix build’ command (*note
Invoking guix build::).
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-20 16:33 Signed archive export/import Ludovic Courtès
2013-12-20 17:04 ` Andreas Enge
2013-12-22 0:14 ` Ludovic Courtès
@ 2013-12-29 15:11 ` Ludovic Courtès
2014-01-03 22:15 ` Ludovic Courtès
2 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2013-12-29 15:11 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2713 bytes --]
Howdy!
ludo@gnu.org (Ludovic Courtès) skribis:
> The modus operandi is that administrators add a libgcrypt-generated key
> pair to /etc/guix/signing-key.{pub,sec} (typically an RSA key pair).
> Exported archives are automatically signed with the secret key, and
> imported archives must carry a valid signature verified with
> signing-key.pub.
>
> I find the latter a bit limiting, as it means that all the machines in
> the build farm must have the same key pair installed. So instead, I’m
> inclined to add an ‘authorized key’ list, as with SSH.
I spent a bit of holiday time on this, and just committed the result.
So now the daemon has a SPKI-style access-control list (ACL), which
lists the public keys whose imports are allowed. The ACL is stored in
“canonical s-expression” format, via Libgcrypt, as envisioned by SPKI
[0] and as implemented by lsh [1].
Namely, /etc/guix/acl looks like this:
(acl
(entry
(public-key
(rsa
(n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#)
(e #010001#)))
(tag (guix import))))
In addition to the actual signature, archive signatures embed the signed
hash and the signer’s public key, like this:
(signature
(data
(flags pkcs1)
(hash sha256 #2749F0EA9F26C6C7BE746A9CFF8FA4C2F2A02B000070DBA78429E9A11F87C6EB#))
(sig-val
(rsa
(s #477143FFA2DF163036599985425A331CAF4FF7FA22083A64BA08BEA0DB3BA95472A56B1EAF5E122716FACC81E8D72FEFF0985DDA162EB22FE5579B27D333B774C89425151198DA7A094E264F18755EEA1F278592555C531ADC9DE86C7BFFB4869C70150DD93D07BC032E830F9314CD7EE204DE3ED74DCBB96F63C7D0CDCCD72A#)))
(public-key
(rsa
(n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#)
(e #010001#))))
The good news is that, with a bit of work in (guix nar),
‘substitute-binary’ will be able to use that mechanism too. So we can
change Hydra to always sign its archives (simple), and
‘substitute-binary’ to always check signatures and check the signer
against the ACL. The users can choose whether or not to add
hydra.gnu.org’s public key to their ACL.
Comments welcome!
Thanks,
Ludo’.
[0] http://theworld.com/~cme/spki.txt
[1] http://www.lysator.liu.se/~nisse/lsh/lsh.html#Hostauth%20options
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2013-12-29 15:11 ` Ludovic Courtès
@ 2014-01-03 22:15 ` Ludovic Courtès
2014-01-10 13:21 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2014-01-03 22:15 UTC (permalink / raw)
To: guix-devel
ludo@gnu.org (Ludovic Courtès) skribis:
> The good news is that, with a bit of work in (guix nar),
> ‘substitute-binary’ will be able to use that mechanism too. So we can
> change Hydra to always sign its archives (simple), and
> ‘substitute-binary’ to always check signatures and check the signer
> against the ACL. The users can choose whether or not to add
> hydra.gnu.org’s public key to their ACL.
It turns out that changing Hydra to always sign is not as simple as I
initially thought, because it doesn’t export archives via the
‘export-paths’ RPC (the one that knows how to sign them.)
So we’re back to discussing another approach with the (apparently
unmotivated) Hydra folks, probably adding a ‘Signature’ field to the
.narinfo files (see
<http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html> and
<http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011203.html>.)
Anyone knowledgeable with Perl, Nix, and diplomacy is welcome here. :-)
We should also start thinking more about decentralized distribution.
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Signed archive export/import
2014-01-03 22:15 ` Ludovic Courtès
@ 2014-01-10 13:21 ` Ludovic Courtès
0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2014-01-10 13:21 UTC (permalink / raw)
To: guix-devel
ludo@gnu.org (Ludovic Courtès) skribis:
> ludo@gnu.org (Ludovic Courtès) skribis:
>
>> The good news is that, with a bit of work in (guix nar),
>> ‘substitute-binary’ will be able to use that mechanism too. So we can
>> change Hydra to always sign its archives (simple), and
>> ‘substitute-binary’ to always check signatures and check the signer
>> against the ACL. The users can choose whether or not to add
>> hydra.gnu.org’s public key to their ACL.
>
> It turns out that changing Hydra to always sign is not as simple as I
> initially thought, because it doesn’t export archives via the
> ‘export-paths’ RPC (the one that knows how to sign them.)
>
> So we’re back to discussing another approach with the (apparently
> unmotivated) Hydra folks, probably adding a ‘Signature’ field to the
> .narinfo files (see
> <http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html> and
> <http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011203.html>.)
Good news: Eelco Dolstra (of Nix) implemented what he had in mind in
Hydra and Nix’s substituter (thanks!):
https://github.com/NixOS/nix/commit/0fdf4da0e979f992db75cc17376e455ddc5a96d8
https://github.com/NixOS/hydra/commit/a598fe7e817e116cdf4d3202458d138202e869f1
So what we need to do now is to adjust substitute-binary.scm to handle
these signatures, and to make sure Hydra can use ‘guix authenticate’
instead of ‘openssl’.
I’ll look into it when I’m done with offload support, but I’m happy to
discuss it further if someone else wants to give it a go!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-01-10 13:26 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-20 16:33 Signed archive export/import Ludovic Courtès
2013-12-20 17:04 ` Andreas Enge
2013-12-20 17:54 ` Ludovic Courtès
2013-12-20 18:13 ` Andreas Enge
2013-12-20 23:13 ` Ludovic Courtès
2013-12-22 0:14 ` Ludovic Courtès
2013-12-29 15:11 ` Ludovic Courtès
2014-01-03 22:15 ` Ludovic Courtès
2014-01-10 13:21 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).