From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Subject: bug#34125: Installation script needs to be secured with a gpg signature Date: Fri, 25 Jan 2019 22:25:47 +0100 Message-ID: <20190125222547.5a01b1dc@alma-ubu> References: <20190118162301.52eaeb12@alma-ubu> <87womxcg9a.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/NUoSVMqc6ERi5IL7Km7Hlk1"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:42068) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gn8zK-0006DM-AQ for bug-guix@gnu.org; Fri, 25 Jan 2019 16:26:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gn8zI-0002pH-9g for bug-guix@gnu.org; Fri, 25 Jan 2019 16:26:10 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:46355) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gn8zC-0002lF-Iz for bug-guix@gnu.org; Fri, 25 Jan 2019 16:26:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gn8zC-0000WU-BG for bug-guix@gnu.org; Fri, 25 Jan 2019 16:26:02 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-Reply-To: <87womxcg9a.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus Cc: 34125-done@debbugs.gnu.org, Laura Lazzati --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 22 Jan 2019 08:18:09 +0100 Ricardo Wurmus wrote: > Hi Bj=C3=B6rn, >=20 > > I was looking at the installation video from Laura (not yet public) > > and wondered about that: > > > > We just download the installation script: > > > > $ wget https://.../guix-install.sh > > > > Then we go on directly executing that script. > > > > Shouldn't that be save-garded by a PGP-signature too? =20 >=20 > I don=E2=80=99t know. >=20 > > Because if it is not, the user could be tricked into a script that > > downloads a "bad" Guix installation tarball. =20 >=20 > To avoid having the user tricked we use HTTPS. At least the users > will know that this file comes from the official project website. >=20 > A user who is tricked into downloading a script from a malicious site > could just as well download a matching signature from somewhere else, > so the script body itself should be signed. We can=E2=80=99t sign the wh= ole > file because the first line must be the shebang =E2=80=94 unless we forgo= the > shebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to = execute it > with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-s= ign=E2=80=9D adds a block of > text before and after the file, which would be a syntax error in a > shell script. >=20 > We are probably stuck with having a separate signature file. I don=E2=80= =99t > know if it=E2=80=99s worth doing when HTTPS is used to fetch the script f= rom > an authoritative source. >=20 OK, agreed. Let's close this. Bj=C3=B6rn --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEt+2wAKCRC/KGy2WT5f /QrRAJ0fbiuRugZd+xdn4MfCfos3eujofgCgh48kLTDPNJCpw1uMJ5E07m2jOg4= =zgDC -----END PGP SIGNATURE----- --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1--