From: "Ludovic Courtès" <ludo@gnu.org>
To: Justus Winter <teythoon@avior.uberspace.de>
Cc: guix-devel@gnu.org
Subject: Re: Securing the software distribution chain
Date: Mon, 24 Aug 2020 16:36:22 +0200 [thread overview]
Message-ID: <87blj02jrt.fsf@gnu.org> (raw)
In-Reply-To: <87lfj0ujkk.fsf@europa.jade-hamburg.de> (Justus Winter's message of "Fri, 31 Jul 2020 11:20:43 +0200")
Hi!
Justus Winter <teythoon@avior.uberspace.de> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> The idea of storing cryptographic metadata directly in <origin> has been
>> discussed a few times:
>>
>> https://lists.gnu.org/archive/html/help-guix/2016-08/msg00132.html
>> https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>> https://git.savannah.gnu.org/cgit/guix.git/tree/TODO?id=6b8875c838d637773813899b35a9b5ea4acfd146#n29
>>
>> To me, the biggest shortcoming of this approach is if this metadata is
>> primarily “ornamental”: if in practice, ‘guix build -S’ doesn’t use it
>> (and it has no reason to use it), then that metadata is likely to become
>> stale without anyone noticing.
>
> On the other hand, most packaging metadata is ornamental. There is no
> way to tell if synopsis or description is up to date or correct. With
> signing metadata there is a way to detect this, so I don't see how
> tracking signing metadata is worse than tracking the description.
[...]
>> Of course we could have additional tools to make use of that info, say
>> ‘guix build -S --authenticate’ or something. But that would still be
>> optional.
>
> Don't make it optional! Empower and encourage us downstream users to
> verify upstream signatures and verify that the packager is honest, like
> you empower us to build software and verify that the substitution
> builder is honest.
Fundamentally, users trust packagers: they run their code. Yet,
making it easier for users to audit the work of packagers sounds like a
good idea. I agree with the philosophy.
I guess I poorly explained myself. To put it differently, there is no
obvious place where signature verification fits here: the model is that
Guix code itself is authentic, and thus all that matters is ensuring
that we get the right content (checking the hash of origins). Signature
metadata is “silent” in that model.
We can introduce signature verification in (guix download): every time
code is downloaded and signature metadata is available, we verify its
signature. Unfortunately, I’m afraid this is likely to lead to lots of
false positives, and in particular failure to retrieve the OpenPGP key.
WDYT? Where would you integrate that?
>>> Thinking a bit more about having a hashsum as part of the packaging
>>> definition, it seems to me that this is a bit of a modelling error.
>>> Because there is no standardized way of authenticating a source
>>> distribution, Guix defers this step to the packager. And if there is no
>>> way to authenticate an artifact (because upstream doesn't provide
>>> signatures), we at least get TOFU, i.e. the assurance that any user
>>> gets the same artifact as the packager.
>>>
>>> This doesn't seem terribly problematic, but it doesn't support parts of
>>> the artifact changing, because in this model, this cannot be
>>> distinguished from an attack. Is there a way an artifact may change in
>>> a valid way that Guix (and other distributions) may want to support?
>>
>> What do you mean? If, for example, a tarball is modified in-place
>> upstream, it’s an error from Guix’ viewpoint.
>
> I mean that the tarball inside the OpenPGP message stays the same, but
> we attach more signatures to the OpenPGP message over time.
I see. We’ve only encountered detached signatures so far.
>>> We believe there is. We propose to solve the problem of locating the
>>> signatures by bundling them with the source distribution. Instead of
>>> using a detached PGP signature, we want to distribute the source as a
>>> signed PGP message.
>>>
>>> Now, if you compute a hashsum over such an artifact, you are in effect
>>> notarizing the signatures in the message and the message payload. If
>>> the developers add a signature to the message, the hashsum changes and
>>> your notarization breaks.
>>>
>>> The preferred way to support this is to not verify that the hashsum over
>>> the artifact matches, but to verify the PGP signatures over the payload
>>> using the set of eligible signing keys in the package metadata.
>>
>> In practice, we don’t get to choose the authentication method. You’re
>> proposing a different authentication method here, but we’re just
>> downstream: you’ll have to convince upstreams first. :-)
>
> Well, I'm a upstream, and this is your heads up that you are not
> prepared to deal with our source distribution scheme of choice. And,
> we're hoping to convince other projects to use our scheme as well.
>
> We've been talking about this problem internally, and we have concluded
> that it is useful to be able to pin the source tarball to an exact
> version as you do now. That is possible with our scheme by hashing only
> the literal data of the signed OpenPGP message. That requires some
> OpenPGP parsing, but guix/openpgp.scm should support that.
(We = Sequoia-PGP, right?)
It should be possible to use to support this scheme by implementing a
new method for origins. We would still require the origin hash to be
that of the extracted directory or tarball, which appropriate tooling
could simplify.
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-08-24 14:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-23 11:07 Securing the software distribution chain Justus Winter
2020-07-27 12:53 ` Ludovic Courtès
2020-07-27 18:13 ` zimoun
2020-07-31 9:20 ` Justus Winter
2020-08-24 14:36 ` Ludovic Courtès [this message]
2020-08-25 10:01 ` Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87blj02jrt.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=teythoon@avior.uberspace.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).