unofficial mirror of guix-devel@gnu.org 
 help / color / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Justus Winter <teythoon@avior.uberspace.de>
Cc: guix-devel@gnu.org
Subject: Re: Securing the software distribution chain
Date: Mon, 27 Jul 2020 14:53:53 +0200
Message-ID: <87ime9w23i.fsf@gnu.org> (raw)
In-Reply-To: <87blk6wkug.fsf@europa.jade-hamburg.de> (Justus Winter's message of "Thu, 23 Jul 2020 13:07:35 +0200")

Hi Justus!

Justus Winter <teythoon@avior.uberspace.de> skribis:

>> Before submitting a patch that adds or modifies a package definition,
>> please run through this check list:
>>
>> 1. If the authors of the packaged software provide a cryptographic
>>    signature for the release tarball, make an effort to verify the
>>    authenticity of the archive. For a detached GPG signature file this
>>    would be done with the gpg --verify command.
>
> For me, this is a tooling problem.  'guix download' should authenticate
> the downloaded artifact before it computes and prints the hashsum.
> There are two problems to solve: It needs to locate the signature, and
> it has to know the set of cryptographic identities eligible to create
> the signature.

Note that ‘guix refresh -u’ and ‘guix import gnu’ (and maybe other
importers too?) take care of tarball authentication already.  ‘guix
download’ could share part of the mechanism.  I agree it would be nice.

> For some transports, like git, locating the signatures is not a problem,
> but for http, there is just no standard on where the detatched signature
> is located, or even what data it is computed over (for example,
> kernel.org signs the uncompressed tarball).

Yes, (guix upstream), which is what ‘guix refresh -u’ uses, takes care
of the kernel.org “special case”.

> So I think two things need to happen before this step can be improved:
> The package metadata should include the URL of the signature and a set
> of cryptographic identities eligible for signing the artifact.

The idea of storing cryptographic metadata directly in <origin> has been
discussed a few times:

  https://lists.gnu.org/archive/html/help-guix/2016-08/msg00132.html
  https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
  https://git.savannah.gnu.org/cgit/guix.git/tree/TODO?id=6b8875c838d637773813899b35a9b5ea4acfd146#n29

To me, the biggest shortcoming of this approach is if this metadata is
primarily “ornamental”: if in practice, ‘guix build -S’ doesn’t use it
(and it has no reason to use it), then that metadata is likely to become
stale without anyone noticing.

Of course we could have additional tools to make use of that info, say
‘guix build -S --authenticate’ or something.  But that would still be
optional.

> Thinking a bit more about having a hashsum as part of the packaging
> definition, it seems to me that this is a bit of a modelling error.
> Because there is no standardized way of authenticating a source
> distribution, Guix defers this step to the packager.  And if there is no
> way to authenticate an artifact (because upstream doesn't provide
> signatures), we at least get TOFU, i.e. the assurance that any user
> gets the same artifact as the packager.
>
> This doesn't seem terribly problematic, but it doesn't support parts of
> the artifact changing, because in this model, this cannot be
> distinguished from an attack.  Is there a way an artifact may change in
> a valid way that Guix (and other distributions) may want to support?

What do you mean?  If, for example, a tarball is modified in-place
upstream, it’s an error from Guix’ viewpoint.

> We believe there is.  We propose to solve the problem of locating the
> signatures by bundling them with the source distribution.  Instead of
> using a detached PGP signature, we want to distribute the source as a
> signed PGP message.
>
> Now, if you compute a hashsum over such an artifact, you are in effect
> notarizing the signatures in the message and the message payload.  If
> the developers add a signature to the message, the hashsum changes and
> your notarization breaks.
>
> The preferred way to support this is to not verify that the hashsum over
> the artifact matches, but to verify the PGP signatures over the payload
> using the set of eligible signing keys in the package metadata.

In practice, we don’t get to choose the authentication method.  You’re
proposing a different authentication method here, but we’re just
downstream: you’ll have to convince upstreams first.  :-)

On a related note, and perhaps that’s what you mean by “parts of the
artifact changing”, see the discussion on authenticating source code
archived at Software Heritage:

  https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00009.html
  https://forge.softwareheritage.org/T2430#46046
  https://issues.guix.gnu.org/42162#4

Content-addressing is nice, but not very useful if each tool (IPFS, SWH,
Git, Guix) has its own way to address content…

Thoughts?

Ludo’.


  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-23 11:07 Justus Winter
2020-07-27 12:53 ` Ludovic Courtès [this message]
2020-07-27 18:13   ` zimoun
2020-07-31  9:20   ` Justus Winter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ime9w23i.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=teythoon@avior.uberspace.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

unofficial mirror of guix-devel@gnu.org 

Archives are clonable:
	git clone --mirror https://yhetil.org/guix-devel/0 guix-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-devel guix-devel/ https://yhetil.org/guix-devel \
		guix-devel@gnu.org
	public-inbox-index guix-devel

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.devel
	nntp://news.gmane.io/gmane.comp.gnu.guix.devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git