all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: ng0 <ng0@n0.is>
To: 22883@debbugs.gnu.org
Subject: bug#22883: Authenticating a Git checkout
Date: Mon, 6 Jun 2016 12:20:52 +0000	[thread overview]
Message-ID: <20160606122052.GA21849@khazad-dum> (raw)
In-Reply-To: <20160604122003.GA12299@khazad-dum>

[-- Attachment #1: Type: text/plain, Size: 6030 bytes --]

On 2016-06-04(12:45:16PM+0000), ng0 wrote:
> On 2016-06-04(01:17:53+0200), Ludovic Courtès wrote:
> > Hi!
> >
> > Mike Gerwitz <mtg@gnu.org> skribis:
> >
> > > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote:
> > >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and
> > >> there’s no way to set it globally.
> > >
> > > That's unfortunate.  Does your checkout scenario include a fresh clone?
> > > If so, a pull flag wouldn't help there.
> > >
> > > Leo mentioned a patch; I don't think that'd be too difficult (looking at
> > > other config options in builtin/pull.c), and would be a great idea.  It
> > > appears to pass it off to merge.c; that might be a useful area to verify
> > > signatures as well (pull being a fetch && merge/rebase), in a general
> > > sense.
> >
> > Yeah, it wouldn’t be too hard to add to Git proper, I think, but we
> > can even live without it initially.
> >
> > >> Second, even if it did, it would be a shallow check: as Mike notes in
> > >> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
> > >> script, you actually have to traverse the whole commit history and
> > >> authenticate them one by one.  But that’s OK, it runs in presumably less
> > >> than a minute on a repo the size of Guix’s, and we could also stop at
> > >> signed tags to avoid redundant checks.
> > >
> > > Practically speaking, that's probably fine, though note that a signed
> > > tag is just a signed hash of the commit it points to (with some
> > > metadata), so you're trusting the integrity of SHA-1 and nothing
> > > more.
> > >
> > > With that said, the tag points to what will hopefully be a signed
> > > commit, so if you verify the signature of the tag _and_ that commit,
> > > that'd be even better.  Git's use of SHA-1 makes cryptographic
> > > assurances difficult/awkward.
> > >
> > > An occasional traversal of the entire DAG by, say, a CI script would
> > > provide some pretty good confidence.  I wouldn't say it's necessary for
> > > every pull.
> >
> > Agreed.
> >
> > >> Third, as I wrote before¹, relying on the OpenPGP web of trust to
> > >> determine whether a commit is “valid” is inappropriate: what we want to
> > >> know is whether a commit was made by an authorized person, not whether
> > >> it was made by someone who happens to have an OpenPGP key directly or
> > >> indirectly certified.
> > >
> > > If you want to keep with the convenience of the web of trust, then you
> > > can have a keyring trusting only the appropriate Guix
> > > hackers.  Otherwise, I agree.
> >
> > Oh right, we could do something like:
> >
> >   gpgv --keyring guix-developers.keyring foo
> >
> > (I realize GSRC uses this idiom already when authenticating source
> > tarballs:
> > <http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L217>.)
> >
> > >> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,
> > >> so if we want to do something different than just ‘gpg --verify’, we
> > >> have to put some other ‘gpg’ script in $PATH.  Blech.
> > >
> > > What types of things are you considering?
> >
> > Something as simple as this:
> >
> > --8<---------------cut here---------------start------------->8---
> > $ git config gpg.program 'gpgv --keyring /dev/null'
> > $ git verify-commit HEAD
> > error: cannot run gpgv --keyring /dev/null: No such file or directory
> > error: could not run gpg.
> > --8<---------------cut here---------------end--------------->8---
> >
> > :-/
> >
> > >> Seventh, even if it did, what would we do with the raw ASCII-armored
> > >> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we’d
> > >> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
> > >> in Bigloo?)?!
> > >
> > > What about gpgme/libgcrypt?[*]
> >
> > I believe, but haven’t checked carefully, that GPGME is too high-level;
> > libgcrypt is too low-level (it does not implement OpenPGP.)
> >
> > > [*]: I was actually considering writing an FFI for libgcrypt (if it
> > > doesn't exist already), but it made me uncomfortable without studying
> > > whether Guile can make assurances that pointer-referenced data in
> > > "secure" memory will never be copied anywhere else.  I was going to
> > > bring it up in the near future on the guile mailing list after I did
> > > some research myself; no need to derail the discussion here.
> >
> > We have incomplete libgcrypt bindings:
> >
> >   http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm
> >
> > This is used for the authentication of substitutes:
> >
> >   https://www.gnu.org/software/guix/manual/html_node/Substitutes.html
> >
> > Thanks for your feedback!
> >
> > Ludo’.
> >
> >
> >
>
> Aside from other problems,
> Couldn't we create a separate gpg(-1,-2) package which installs its own GPG_HOME_DIR
> and keyring (gpg2 or gpg1 must be present for that, for future purposes a
> gpg2 would be best I think)?
>
> One example:
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots
>
> I know this isn't similar to what we want to do, but it might serve as an example.
> The method described in the link downloads an auto-signed tarball snapshot of the
> portage directory via webrsync. The keys are also visible on the wiki and it is up
> to users to put trust in them, as this method is considered optional.
> The source used for this is https://gitweb.gentoo.org/proj/gentoo-keys.git/tree/README.md
>
> Maybe this helps a bit.
>


Adding to this what I just found:

http://www.tedunangst.com/flak/post/signify
https://github.com/aperezdc/signify

I am /not/ sure if this will be useful for what guix secure pull wants to achieve,
but maybe there's some inspiration to be found in the source.

--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

  reply	other threads:[~2016-06-06 15:33 UTC|newest]

Thread overview: 87+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-02 18:03 bug#22883: Trustable "guix pull" Christopher Allan Webber
2016-03-02 19:26 ` Leo Famulari
2016-03-02 21:07   ` Christopher Allan Webber
2016-04-25 22:25 ` Ludovic Courtès
2016-04-26  0:13   ` Leo Famulari
2016-04-26  0:17     ` Thompson, David
2016-04-26  7:12       ` Ludovic Courtès
2016-04-30  4:43     ` Mike Gerwitz
2016-06-03 16:12       ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2016-06-03 20:17         ` Leo Famulari
2016-06-04 11:04           ` Ludovic Courtès
2016-06-04  4:24         ` Mike Gerwitz
2016-06-04 11:17           ` Ludovic Courtès
2016-06-04 12:45             ` ng0
2016-06-06 12:20               ` ng0 [this message]
2016-06-04 16:14             ` Mike Gerwitz
2016-06-05 20:39             ` Christopher Allan Webber
2016-06-05 21:15               ` Leo Famulari
2016-06-06  2:41               ` Mike Gerwitz
2016-06-06  7:01                 ` Ludovic Courtès
2016-07-22  8:22         ` Ludovic Courtès
2016-07-22 12:58           ` Thompson, David
2016-07-22 13:58             ` Ludovic Courtès
2017-10-24 23:30           ` Ludovic Courtès
2019-12-27 19:48             ` Ricardo Wurmus
2019-12-28 14:47               ` Ludovic Courtès
2019-12-28 16:05                 ` Ricardo Wurmus
2019-12-28 17:45                   ` Ludovic Courtès
2020-04-30 15:32                 ` Ludovic Courtès
2020-05-01 15:46                   ` Justus Winter
2020-05-01 16:50                     ` Ludovic Courtès
2020-05-01 17:04                   ` Ludovic Courtès
2020-05-19 20:23                     ` Ludovic Courtès
2020-06-01 14:07                       ` bug#22883: Channel introductions Ludovic Courtès
2020-06-02 23:45                         ` zimoun
2020-06-03  9:50                           ` Ludovic Courtès
2020-06-03 16:20                             ` zimoun
2020-06-04  9:55                               ` Ludovic Courtès
2020-05-01 17:20                   ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2020-05-02 22:02                   ` Ludovic Courtès
2020-05-04  8:03                     ` Ludovic Courtès
2016-06-01 16:47   ` bug#22883: Discussion of TUF in the context of Git checkout authentication Ludovic Courtès
2016-05-15 12:40 ` bug#22883: Trustable "guix pull" fluxboks
2016-05-16 17:55   ` Thompson, David
2016-05-17 21:19   ` Ludovic Courtès
2016-06-04 16:19 ` Werner Koch
2016-06-04 22:27   ` Ludovic Courtès
2016-06-05  7:51     ` Werner Koch
2016-06-06 21:01       ` Leo Famulari
2016-06-07  8:08         ` bug#22883: gpg2 vs. gpg Ludovic Courtès
2016-06-07 11:25           ` Werner Koch
2016-06-07 12:58             ` ng0
2016-06-05  1:43   ` bug#22883: Trustable "guix pull" Mike Gerwitz
2018-08-28 19:56 ` Vagrant Cascadian
2018-09-02 16:05   ` Ludovic Courtès
2018-09-02 17:15     ` Vagrant Cascadian
2018-09-02 20:07       ` Ludovic Courtès
2019-12-20 22:11         ` bug#22883: Authenticating Git checkouts: step #1 Ludovic Courtès
2019-12-20 22:11         ` Ludovic Courtès
2019-12-21  1:33           ` bug#22883: " zimoun
2019-12-21  1:33           ` zimoun
2019-12-27 12:58           ` bug#22883: " Ludovic Courtès
2019-12-27 20:47             ` Ricardo Wurmus
2019-12-27 21:31               ` Alex Griffin
2019-12-30 21:23                 ` Ludovic Courtès
2019-12-29  2:45               ` Vagrant Cascadian
2019-12-29  7:34                 ` Efraim Flashner
2019-12-29  7:34                 ` Efraim Flashner
2019-12-30 21:29                 ` Ludovic Courtès
2019-12-30 21:29                 ` Ludovic Courtès
2019-12-29  2:45               ` Vagrant Cascadian
2019-12-27 20:47             ` Ricardo Wurmus
2019-12-27 12:58           ` Ludovic Courtès
2019-12-31 19:16 ` Jakub Kądziołka
2020-01-08 13:30   ` Ludovic Courtès
2020-06-02 13:49 ` bug#22883: Authenticating a Git checkout John Soo
2020-06-03  9:33   ` Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 2/9] git-authenticate: 'authenticate-commits' takes a #:keyring parameter Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 3/9] tests: Move OpenPGP helpers to (guix tests gnupg) Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 5/9] channels: Make 'validate-pull' call right after clone/pull Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 6/9] .guix-channel: Add 'keyring-reference' Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 7/9] channels: Automatically add introduction for the official 'guix' channel Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 8/9] pull: Add '--disable-authentication' Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction> Ludovic Courtès
2020-06-08 22:04   ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160606122052.GA21849@khazad-dum \
    --to=ng0@n0.is \
    --cc=22883@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.