[POSTMORTEM] Subkey is not authorized by .guix-authorizations

[POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Andrew Tropin]

[-- Attachment #1: Type: text/plain, Size: 1749 bytes --]


* Summary
On 2022-08-06 the commit 3946540[fn:1] was pushed and lead to failing
guix pull:

--8<---------------cut here---------------start------------->8---
guix pull: error: commit 39465409f0481f27d252ce25d2b02d3f5cbc6723 not
signed by an authorized key: 2841 9AC6 5038 7440 C7E9 2FFA 2208 D209
58C1 DEB0
--8<---------------cut here---------------end--------------->8---

It was discovered and reported to IRC almost immediately by a few
people.  The commit itself was signed and benign[fn:2], but it was signed with
subkey.  While primary key was added to .guix-authorizations, guix pull
still rejected commit signed with subkey.

From the point commit pushed there is no easy way to recover guix
pull.  nckx contacted savannah admins and a few hours later master
branch was reset to the state before 3946540 was pushed.

* Impact
- guix pull of latest commit from master branch couldn't be done for a
  few hours, the possible problem of such DoS is known[fn:3].

* What could be done better?
- guix pull could be done from local checkout, before pushing.
- First commit by a fresh commiter could be pushed on a weekday, after
  checking if maintainers and admins are present.

* What to do after?
- Accept subkey on guix pull if master key is in .guix-authorizations.
- Add tip to Commit Access section about pull from local checkout.
- Add pre-push hook, which checks authorization on Savannah.

* Footnotes

[fn:1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=39465409f0481f27d252ce25d2b02d3f5cbc6723

[fn:2] https://lists.gnu.org/archive/html/help-guix/2022-08/msg00073.html

[fn:3] https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00156.html


-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Felix Lechner via Development of GNU Guix and the GNU System distribution.]

Hi,

On Thu, Aug 11, 2022 at 7:27 AM Andrew Tropin <andrew@trop.in> wrote:
>
> Re: [POSTMORTEM]

I have likewise used those words to describe concluding reports or to
communicate lessons learned, but upon reflection I now prefer
"incident summary" or "debrief". [1] Since both of my suggested
replacements are associated with the military, they are also not great
examples of favoring life over death, but at least the parties are not
yet in the morgue, so there is hope.

Long live Guix!

Kind regards
Felix Lechner

[1] "debriefing strategies maximize ... the collective experience",
https://en.wikipedia.org/wiki/Debriefing

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 263 bytes --]


On 11-08-2022 16:26, Andrew Tropin wrote:
> * What to do after?
> - Accept subkey on guix pull if master key is in .guix-authorizations.

As I've now written on 57091, this would cause security problems with 
old or revoked keys.

Greetings,
Maxime.


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[John Kehayias]

Hi everyone,

Thanks for this write-up and discussion Andrew. I'm also following along in [0] but I'll just chime in here for now.

When I saw this I was worried since I also "just" use subkeys, meaning for all signing etc. only my subkey is used. These are set to expire each year and then I renew them. For places like GitLab/Hub, this requires deleting the public key and re-adding it after I renew keys. Old commits still show as verified.

Anyway, that's my basic usage and I was worried that I would break a (third party) Guix channel when I was added as a committer. Indeed, that is what just happened, with the same steps: my primary key fingerprint was added to .guix-authorizations. GitLab was happy enough verifying the (subkey signed) commits, and even Cuirass would get the commits and build them. (Side note: does Cuirass not do guix pull? Why would it not fail to pull just as a user?)

All that is to say that I think the use case of someone only using subkeys is valid and one we could expect and should handle. Now, the correct and best way to do that, especially with things like time-travel, I don't know. I just wanted to note that I think only expecting the primary key (rather than subkeys) is limiting.

Finally, as a concrete example of this usage, I manage my keys with a hardware key (YubiKey) and followed this [1] guide to setting up with subkeys that I renew regularly. The primary key isn't really used for much and I think this works well, all I manage is renewal every so often. 

[0] https://issues.guix.gnu.org/57091 

[1] https://github.com/drduh/YubiKey-Guide

John

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Ludovic Courtès]

Hello!

I’m late to the party, but thanks a lot for sending this analysis!

Andrew Tropin <andrew@trop.in> skribis:

> * What could be done better?
> - guix pull could be done from local checkout, before pushing.

Setting a pre-push hook that invokes ‘guix git authenticate’, as
recommended in the manual (info "(guix) Commit Access"), should be
enough: ‘git push’ would just fail in that situation.

> - Accept subkey on guix pull if master key is in .guix-authorizations.

Reported at <https://issues.guix.gnu.org/57091>.

> - Add pre-push hook, which checks authorization on Savannah.

That one is difficult: Guix is not installed on those machines.

Another option would be to push to a different machine, one that we
control, and make Savannah a mirror of that one.

Thoughts?

Ludo’.

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Andrew Tropin]

[-- Attachment #1.1: Type: text/plain, Size: 750 bytes --]

On 2022-09-02 15:23, Ludovic Courtès wrote:

> Hello!
>
> I’m late to the party, but thanks a lot for sending this analysis!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> * What could be done better?
>> - guix pull could be done from local checkout, before pushing.
>
> Setting a pre-push hook that invokes ‘guix git authenticate’, as
> recommended in the manual (info "(guix) Commit Access"), should be
> enough: ‘git push’ would just fail in that situation.

For some reason I thought it does git verify-commit, which I used
manually to check if commit is signed, but it does make authenticate,
which of course works the other way.  Missed it, my bad.

I have elaborated on this topic a little more in the manual.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-doc-Add-more-info-about-commits-signature-local-veri.patch --]
[-- Type: text/x-patch, Size: 1436 bytes --]

From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Mon, 5 Sep 2022 09:46:23 +0300
Subject: [PATCH] doc: Add more info about commits signature local
 verification.

* doc/contributing.texi (Commit Access): Add more info about commits signature
local verification.
---
 doc/contributing.texi | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/doc/contributing.texi b/doc/contributing.texi
index b1d236c011..17a54f94cc 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1627,14 +1627,23 @@ git config commit.gpgsign true
 git config user.signingkey CABBA6EA1DC0FF33
 @end example
 
-You can prevent yourself from accidentally pushing unsigned commits to
-Savannah by using the pre-push Git hook located at
-@file{etc/git/pre-push}:
+To check that commits are signed with correct key, use:
+
+@example
+make authenticate
+@end example
+
+You can prevent yourself from accidentally pushing unsigned or signed
+with the wrong key commits to Savannah by using the pre-push Git hook
+located at @file{etc/git/pre-push}:
 
 @example
 cp etc/git/pre-push .git/hooks/pre-push
 @end example
 
+It additionally calls @code{make check-channel-news} to be sure
+@file{news.scm} file is correct.
+
 @subsection Commit Policy
 
 If you get commit access, please make sure to follow
-- 
2.37.2


[-- Attachment #1.3: Type: text/plain, Size: 640 bytes --]


>> - Accept subkey on guix pull if master key is in .guix-authorizations.
>
> Reported at <https://issues.guix.gnu.org/57091>.
>
>> - Add pre-push hook, which checks authorization on Savannah.
>
> That one is difficult: Guix is not installed on those machines.
>
> Another option would be to push to a different machine, one that we
> control, and make Savannah a mirror of that one.

It can work, but looks fragile.

>
> Thoughts?

Let's ask savannah admins if it possible to install guix on those
machines and add pre-receive/update hook?  If not, we will look for
other options.

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Ludovic Courtès]

Hi,

Andrew Tropin <andrew@trop.in> skribis:

>> Setting a pre-push hook that invokes ‘guix git authenticate’, as
>> recommended in the manual (info "(guix) Commit Access"), should be
>> enough: ‘git push’ would just fail in that situation.
>
> For some reason I thought it does git verify-commit, which I used
> manually to check if commit is signed, but it does make authenticate,
> which of course works the other way.  Missed it, my bad.

OK.

> I have elaborated on this topic a little more in the manual.
>
> From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew@trop.in>
> Date: Mon, 5 Sep 2022 09:46:23 +0300
> Subject: [PATCH] doc: Add more info about commits signature local
>  verification.
>
> * doc/contributing.texi (Commit Access): Add more info about commits signature
> local verification.

It’s certainly an improvement, LGTM!

> Let's ask savannah admins if it possible to install guix on those
> machines and add pre-receive/update hook?  If not, we will look for
> other options.

I’m busy these days so I’d rather not commit to starting a discussion on
this, but I’d suggest testing waters on #savannah on IRC.

Thanks,
Ludo’.

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 578 bytes --]

Ludovic Courtès 写道：
> I’m busy these days so I’d rather not commit to starting a 
> discussion on
> this, but I’d suggest testing waters on #savannah on IRC.

They weren't wild about it.  We'd be asking for a lot from their 
perspective.  I haven't given up on convincing them otherwise, but 
an alternative approach would be to write a minimum viable 
verifier (the machine has Guile \o/ although it might need 
updating), and then just regularly pull the guix repository as 
(keyring) data, without executing any of its code.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]