auth-tarball-from-git

auth-tarball-from-git

[kiasoc5]

Authenticate a tarball through a signed tag in a git repository (with reproducible builds).

Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/

Source code: https://github.com/kpcyrd/auth-tarball-from-git

Pretty interesting, could be useful for guix.

Re: auth-tarball-from-git

[zimoun]

Hi,

On lun., 30 mai 2022 at 01:45, kiasoc5@disroot.org wrote:

> Authenticate a tarball through a signed tag in a git repository (with reproducible builds).
>
> Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/

In this post, it reads:

        Personally - if I had to decide between these two - I’d prefer
        the later because I can always try to authenticate the pinned
        tarball later on, 

which is the case for Guix.  Even, Guix is somehow already implementing
this third way because each commit modifying a package is signed.  From
the post, the file ’chrisduerr.pgp’ and ’kchibisov.pgp’ are the Guix
committer keys [1].

(Hum, I do not understand what this means:

        but it’s impossible to know for sure which source code has been
        used if all I know is “something that had a valid signature on
        it”.

but that’s another story. :-))


Well, in this frame about security, the question is: who trusts who?  I
do not think that the addition of an automatic signature check of source
code’s author key enforces more security for Guix users.  It adds more
complexity and does not fix the current bottleneck of trust: the Guix
packager and Guix committer.

Other said, if you do not trust the Guix packagers and Guix committers,
then you have to personally check the authenticity of the source code.
Using an automatic process with data from Guix packages or Guix
committers contradicts the assumption «you do not trust them».
Therefore, it does not fix the current weakness.

However, such ’auth-tarball-from-git’ can be of high interest when
Submitting Patching [2]:

        2. If the authors of the packaged software provide a
        cryptographic signature for the release tarball, make an effort
        to verify the authenticity of the archive. For a detached GPG
        signature file this would be done with the gpg --verify command.


Cheers,
simon


1: <https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations>
2: <https://guix.gnu.org/manual/devel/en/guix.html#Submitting-Patches>

Re: auth-tarball-from-git

[Ludovic Courtès]

Hi!

kiasoc5@disroot.org skribis:

> Authenticate a tarball through a signed tag in a git repository (with reproducible builds).
>
> Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/
>
> Source code: https://github.com/kpcyrd/auth-tarball-from-git
>
> Pretty interesting, could be useful for guix.

The example here is about downloading github.com-generated tarballs,
which we don’t do in Guix for other reasons.

The kind of tarballs that Guix packages refer to are not autogenerated;
they contain more than what the VCS has.  Thus, they’re also more
difficult to authenticate if they’re not signed.

Thanks for sharing!

Ludo’.