Suggest another way of importing GNU Guix GPG key

Suggest another way of importing GNU Guix GPG key

[dftxbs3e]

Hello,

SKS keyservers are currently under attack 
(https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
the attack can cause a GPG client to freeze completely and mess the GPG 
installation completely.

I suggest GNU Guix proposes another way of importing the GPG keys so 
that users will not suffer from this problem.

There's another, newer, keyserver, proposed in this gist, that is run by 
new software that doesnt suffer from this attack. See: 
https://keys.openpgp.org/about/news#2019-06-12-launch

However, that keyserver is not replicated. You could either use that one 
or simply offer a download of the key over TLS with verification against 
installed CAs, as secure as this can get.

Regards

Re: Suggest another way of importing GNU Guix GPG key

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

Hello,

One solution would be to download the keyring from
<https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
the following way:

  $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz

Cheers,
Alex

dftxbs3e@free.fr writes:

> Hello,
>
> SKS keyservers are currently under attack
> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
> the attack can cause a GPG client to freeze completely and mess the
> GPG installation completely.
>
> I suggest GNU Guix proposes another way of importing the GPG keys so
> that users will not suffer from this problem.
>
> There's another, newer, keyserver, proposed in this gist, that is run
> by new software that doesnt suffer from this attack. See:
> https://keys.openpgp.org/about/news#2019-06-12-launch
>
> However, that keyserver is not replicated. You could either use that
> one or simply offer a download of the key over TLS with verification
> against installed CAs, as secure as this can get.
>
> Regards


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: Suggest another way of importing GNU Guix GPG key

[Christopher Lemmer Webber]

That's probably the right way to do it for now.

Alex Vong writes:

> Hello,
>
> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz
>
> Cheers,
> Alex
>
> dftxbs3e@free.fr writes:
>
>> Hello,
>>
>> SKS keyservers are currently under attack
>> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
>> the attack can cause a GPG client to freeze completely and mess the
>> GPG installation completely.
>>
>> I suggest GNU Guix proposes another way of importing the GPG keys so
>> that users will not suffer from this problem.
>>
>> There's another, newer, keyserver, proposed in this gist, that is run
>> by new software that doesnt suffer from this attack. See:
>> https://keys.openpgp.org/about/news#2019-06-12-launch
>>
>> However, that keyserver is not replicated. You could either use that
>> one or simply offer a download of the key over TLS with verification
>> against installed CAs, as secure as this can get.
>>
>> Regards

Re: Suggest another way of importing GNU Guix GPG key

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Hello Guix!

Alex Vong <alexvong1995@gmail.com> writes:

> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz
>

Correct, the quick and "dirty" workaround is **to stop using the SKS
network** and warn Guix users to **manually download** certificates

This means we should quckly patch Guix manual: I've no time to propose a
patch today, I'll work on this tomorrow

We also nees to address this for **all** guix contributors: we require a
GPG signed commit, so each and every contributor/developer should
understand the risks of using SKS network and apply current proposed
workarounds: can we state this in maintenance.git/HACKING?

We sould act qulckly, IMHO

Thanks! Gio'

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Suggest another way of importing GNU Guix GPG key

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

On Sun, Jun 30, 2019 at 11:44:04AM +0200, Giovanni Biscuolo wrote:
> This means we should quckly patch Guix manual: I've no time to propose a
> patch today, I'll work on this tomorrow
> 
> We also nees to address this for **all** guix contributors: we require a
> GPG signed commit, so each and every contributor/developer should
> understand the risks of using SKS network and apply current proposed
> workarounds: can we state this in maintenance.git/HACKING?
> 
> We sould act qulckly, IMHO

This is also being discussed privately with the Guix maintainers. I
expect to push an update for the manual and HACKING today.

PGP signatures in the context of `guix refresh` will become worse than
useless without either 1) changes in upstream GnuPG or 2) if the key
holders personally upload their keys to <keys.openpgp.org>. We might
need to remove the signature verification feature entirely.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Suggest another way of importing GNU Guix GPG key

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 401 bytes --]

On Tue, Jul 02, 2019 at 11:54:17AM -0400, Leo Famulari wrote:
> This is also being discussed privately with the Guix maintainers. I
> expect to push an update for the manual and HACKING today.

An update on this:

The initial plan is to add the Guix signing key to the new
abuse-resistant keyserver at <keys.openpgp.org>. Once that has been done
we can update the manual and HACKING to point at this.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Suggest another way of importing GNU Guix GPG key

[Leo Famulari]

On Wed, Jul 03, 2019 at 02:13:12PM -0400, Leo Famulari wrote:
> An update on this:
> 
> The initial plan is to add the Guix signing key to the new
> abuse-resistant keyserver at <keys.openpgp.org>. Once that has been done
> we can update the manual and HACKING to point at this.

This didn't happen, but the instructions have been changed to suggest
fetching the key directly from Savannah [0]. Additionally, the docs
about where to put one's commit signing key have also been updated [1].

[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ffae5a7946912ffd69dd4b608576cf2d75931fb2

[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=06e1ecbf17fee7fe513ad2808d8175fb3565ae3e

Re: Suggest another way of importing GNU Guix GPG key

[dftxbs3e]

Le 2019-07-13 20:29, Leo Famulari a écrit :
> On Wed, Jul 03, 2019 at 02:13:12PM -0400, Leo Famulari wrote:
>> An update on this:
>> 
>> The initial plan is to add the Guix signing key to the new
>> abuse-resistant keyserver at <keys.openpgp.org>. Once that has been 
>> done
>> we can update the manual and HACKING to point at this.
> 
> This didn't happen, but the instructions have been changed to suggest
> fetching the key directly from Savannah [0]. Additionally, the docs
> about where to put one's commit signing key have also been updated [1].
> 
> [0]
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ffae5a7946912ffd69dd4b608576cf2d75931fb2
> 
> [1]
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=06e1ecbf17fee7fe513ad2808d8175fb3565ae3e

Hello,

https://guix.gnu.org/manual/en/html_node/Binary-Installation.html still 
recommends to download using keyservers.

Might want to update that as well.

Thank.

Re: Suggest another way of importing GNU Guix GPG key

[Ricardo Wurmus]

dftxbs3e@free.fr writes:

> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
> still recommends to download using keyservers.

This is the manual corresponding to the latest release, which did not
include the change.  I think it would be warranted to change this even
though the online manual would not correspond to any release then, just
as we did it for the 1.0.0 release which included an installer bug.

--
Ricardo

Re: Suggest another way of importing GNU Guix GPG key

[Julien Lepiller]

Le 18 juillet 2019 10:03:18 GMT+02:00, Ricardo Wurmus <rekado@elephly.net> a écrit :
>
>dftxbs3e@free.fr writes:
>
>> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
>> still recommends to download using keyservers.
>
>This is the manual corresponding to the latest release, which did not
>include the change.  I think it would be warranted to change this even
>though the online manual would not correspond to any release then, just
>as we did it for the 1.0.0 release which included an installer bug.
>
>--
>Ricardo

We can do any change we want to the version-1.0.1 branch, it will be picked up, built and served automatically by the server.