unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Maxime Devos <maximedevos@telenet.be>
To: guix-devel@gnu.org
Subject: Public key pinning in guix?
Date: Fri, 07 Jan 2022 21:24:02 +0000	[thread overview]
Message-ID: <8dc3fb16db64df6fd71b7ab059c517aa3e779c2b.camel@telenet.be> (raw)

[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]

Hi guix-devel,

I coded up the following recently:

[start snip]
;; TODO does this check all the right fields?
(define %pinned-public-keys
  '(("content.minetest.net" . #u8(188 216 200 89 188 149 240 145 93 189
114 207 239 50 157 141 57 196 11 102))
    ("ftp.gnu.org" . #u8(100 133 126 118 117 115 141 72 253 200 108 158
64 47 85 199 90 0 253 179 181))
    ("www.stackage.org" . #u8(101 7 34 114 166 42 66 55 116 60 42 253
85 30 134 236 217 108 67 119))
    ("hackage.haskell.org" . #u8(80 123 226 229 92 27 203 99 130 198 72
113 250 28 247 58 254 19 104 79))
    ("fastapi.metacpan.org" . #u8(86 7 157 232 133 127 13 58 144 86 37
162 91 239 203 138 150 84 56 67))
    ("cran.r-project.org" . #u8(60 80 123 29 14 43 131 116 105 126 126
58 154 231 6 150 216 158 70 213))
    ("web.cvs.savannah.gnu.org" . #u8(66 134 131 20 232 136 162 102 201
229 202 93 21 161 26 192 176 3 61 38))))

(use-modules (gnutls) (rnrs bytevectors))
(define old (@@ (gnutls) x509-certificate-matches-hostname?))
(set! (@@ (gnutls) x509-certificate-matches-hostname?)
  (lambda (certificate domain)
    (and (old certificate domain)
         ;;  If the domain name is known to Guix, verify the public key
         ;; -- the CA could be corrupt or compromised!
         (let ((pinned-key (assoc-ref %pinned-public-keys domain)))
           (or (pk 'd domain pinned-key (not pinned-key))
               (bytevector=? pinned-key (x509-certificate-key-id
certificate)))))))
[end snip]

I put it in (guix import minetest); it should probably be integrated
into (guix build download) instead.

The purpose is to resist a compromise of the CA system. More
concretely, if you now do "guix refresh -u minetest-moreores"
then a MITM that compromised a CA cannot secretly replace
minetest-moreores with a mod that mines bitcoin for the MITM,
or something.

Possibly also useful for "guix download", "guix import", "guix lint",
"guix build --with-latest=...".

A downside is that whenever content.minetest.net changes public keys,
the pinned public key in Guix needs to be updated. How often does this
happen? I wouldn't now. This could be partially automated with
a "./pre-inst-env guix update-the-pinned-keys" script, and there could
be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
hatch.

WDYT, worth the trouble or not?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

             reply	other threads:[~2022-01-07 21:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-07 21:24 Maxime Devos [this message]
2022-01-08 16:37 ` Public key pinning in guix? Philip McGrath
2022-01-09 11:54   ` Maxime Devos
2022-01-09 13:57     ` Philip McGrath
2022-01-09 15:29       ` Maxime Devos

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8dc3fb16db64df6fd71b7ab059c517aa3e779c2b.camel@telenet.be \
    --to=maximedevos@telenet.be \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).