From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SAD8Ke9+GV+1UQAA0tVLHw (envelope-from ) for ; Thu, 23 Jul 2020 12:13:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id qFnEJe9+GV9qFwAAbx9fmQ (envelope-from ) for ; Thu, 23 Jul 2020 12:13:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 66B3A940669 for ; Thu, 23 Jul 2020 12:13:35 +0000 (UTC) Received: from localhost ([::1]:43724 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jya6Q-0000Ax-CJ for larch@yhetil.org; Thu, 23 Jul 2020 08:13:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59004) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jyZ4l-0007yc-9p for guix-devel@gnu.org; Thu, 23 Jul 2020 07:07:47 -0400 Received: from avior.uberspace.de ([185.26.156.32]:46904) by eggs.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jyZ4i-0004Ru-1L for guix-devel@gnu.org; Thu, 23 Jul 2020 07:07:47 -0400 Received: (qmail 10225 invoked from network); 23 Jul 2020 11:07:38 -0000 Received: from localhost (HELO europa) (127.0.0.1) by avior.uberspace.de with SMTP; 23 Jul 2020 11:07:38 -0000 Received: from localhost ([127.0.0.1]) by europa with esmtp (Exim 4.92) (envelope-from ) id 1jyZ4Z-0001lb-LY for guix-devel@gnu.org; Thu, 23 Jul 2020 13:07:35 +0200 From: Justus Winter To: guix-devel@gnu.org Subject: Securing the software distribution chain Date: Thu, 23 Jul 2020 13:07:35 +0200 Message-ID: <87blk6wkug.fsf@europa.jade-hamburg.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: none client-ip=185.26.156.32; envelope-from=teythoon@avior.uberspace.de; helo=avior.uberspace.de X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/23 07:07:39 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 23 Jul 2020 08:13:13 -0400 X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: 0qBYDbOV3/30 --=-=-= Content-Type: text/plain Hello :) doing some packaging lately I noticed a weak link in Guix' authentication chain. Artifacts downloaded by Guix are authenticated using a hashsum included in the packaging definition, and 'guix download' will compute this hashsum over artifacts, but the step of authenticating the artifact is a manual one, mentioned in the 'Submitting Patches' checklist: > Before submitting a patch that adds or modifies a package definition, > please run through this check list: > > 1. If the authors of the packaged software provide a cryptographic > signature for the release tarball, make an effort to verify the > authenticity of the archive. For a detached GPG signature file this > would be done with the gpg --verify command. For me, this is a tooling problem. 'guix download' should authenticate the downloaded artifact before it computes and prints the hashsum. There are two problems to solve: It needs to locate the signature, and it has to know the set of cryptographic identities eligible to create the signature. For some transports, like git, locating the signatures is not a problem, but for http, there is just no standard on where the detatched signature is located, or even what data it is computed over (for example, kernel.org signs the uncompressed tarball). So I think two things need to happen before this step can be improved: The package metadata should include the URL of the signature and a set of cryptographic identities eligible for signing the artifact. Thinking a bit more about having a hashsum as part of the packaging definition, it seems to me that this is a bit of a modelling error. Because there is no standardized way of authenticating a source distribution, Guix defers this step to the packager. And if there is no way to authenticate an artifact (because upstream doesn't provide signatures), we at least get TOFU, i.e. the assurance that any user gets the same artifact as the packager. This doesn't seem terribly problematic, but it doesn't support parts of the artifact changing, because in this model, this cannot be distinguished from an attack. Is there a way an artifact may change in a valid way that Guix (and other distributions) may want to support? We believe there is. We propose to solve the problem of locating the signatures by bundling them with the source distribution. Instead of using a detached PGP signature, we want to distribute the source as a signed PGP message. Now, if you compute a hashsum over such an artifact, you are in effect notarizing the signatures in the message and the message payload. If the developers add a signature to the message, the hashsum changes and your notarization breaks. The preferred way to support this is to not verify that the hashsum over the artifact matches, but to verify the PGP signatures over the payload using the set of eligible signing keys in the package metadata. Thoughts? Justus --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEJWpOVeSnLZetJGjniNx+MzhfeR0FAl8Zb3cACgkQiNx+Mzhf eR16XQf+N9uxIXt3CxD30QemyjsZpHXvROG8XnkPsv2h/LRjorRGpnph7Gzqmxrn df0UgvBsiNkKe50ImYpTeoiRykSyT8hWbSgafphbDYsKIi85hNGfEwdl3B2RaVub tCXeYQ1YLH38wxgcEoQqY3vE93dhL6IBAD8XxtA9C4PzAQpy5WG2OdCkW5EbLmzt PtUHI2+ea3rGNhKdZyhZmN+qS1d6T3js43WVBd8/i0SQz71ExYXr1HWEpk/aQRxq iX9caqu2LBZg8ua1DFdjG0U39I9oceUZ7jUZ0b2vzG/ssauGClMUez6iFxbZOEo4 zDwwEeAbYQjKZXIWEyjOHuvjKxxnDg== =bpFF -----END PGP SIGNATURE----- --=-=-=--