From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: wip-signed-archives progress report Date: Thu, 27 Mar 2014 00:02:38 +0100 Message-ID: <878urwzhpt.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSwqM-0001HY-Ko for guix-devel@gnu.org; Wed, 26 Mar 2014 19:02:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WSwqH-0001uj-7y for guix-devel@gnu.org; Wed, 26 Mar 2014 19:02:46 -0400 Received: from hera.aquilenet.fr ([2a01:474::1]:48987) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WSwqG-0001se-PT for guix-devel@gnu.org; Wed, 26 Mar 2014 19:02:41 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org hydra.gnu.org now signs binaries. More precisely, it signs the meta-data of binaries, aka. =E2=80=9Cnarinfos=E2=80=9D: --8<---------------cut here---------------start------------->8--- $ wget -q -O - http://hydra.gnu.org/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk.narinfo StorePath: /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 URL: nar/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 Compression: bzip2 NarHash: sha256:02xnn63ib2zs0k2dvkk9f6k7d4g1s6pm1ryjlzg3h98b88bch7n9 NarSize: 100956560 References: 1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 250yb9lr5018sc1092x= b0fikarqsh55r-findutils-4.4.2 2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d 3= 4lb360x0m8ilmqlzmvk1s2rgm416l5s-gdk-pixbuf-2.28.2 394ijzg3g53i77q9400j22w1w= amcjkxs-xz-5.0.4 3b0179h37dd19xc1k73cy8s75ja4pmba-grep-2.18 3j9cmj0l4g37gi8= 04y8yvnig0yqgm2xg-gzip-1.6 499l505sasqwxcimsvf7h6if2bnyq785-cairo-1.12.16 6= ax9s08vya8dsfda8yr0swk5g3f0b189-atk-2.10.0 6z7k9ms4sf367c3phl7djhb740ly3dqi= -gcc-4.8.2 7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 8f15savrvf13z1= z9hi5cb5l6akdx4gzr-zlib-1.2.7 91l8glwrsv0cdc53viq4i0x0x7qjrbgj-make-4.0 a9p= dkvz3xiyp01xl8gcl1y6mjij0h86k-pkg-config-0.27.1 cvc6x0brfnrxsrk2f48c6dhh4br= f05d9-coreutils-8.22 d12n5r59rhvc2b86agsp2gzsad41gr3p-pango-1.34.1 fkmxw4d9= xrabvpg3mv2l529cw7gw27n5-libtasn1-3.4 hf5kklv837xbfcv6gc7gpsj36l69j3sj-glib= c-2.19 hg75n2sbpmwnxw4v4bvn1i304r5s3dfh-libtiff-4.0.3 imc4v341rb93k8rialj5b= axzdh63w2xr-nettle-2.7.1 j96wdn8q41jd62n6p6viv2wl9l2100b3-gtk+-2.24.21 jm0q= k1n234f7l8s8zp8fpa13m8w91ikv-diffutils-3.3 lxszay94rraffzfjmzlvpa5z02h9xlfz= -gnutls-3.2.12 m56m1y8inkplafq2859vaflwrwa0c3jf-which-2.20 malv41q53gmwvrzm= 6mfpv7g4s95rzxik-libsm-1.2.1 n1chwrwzq94120d3zfcyd9yr11r0jbsb-sed-4.2.2 nax= qxdf7f6lfpy4h481h8j8hs2r44v09-libpng-1.5.17 nsv3rg9i3rn29j1nk4lr26pxazpmd75= g-tar-1.27.1 nw5y8klybqh3wn0xc66b1dfjafs5hybv-freetype-2.4.11 plw2fk911b33n= 75ylmrqkfwkhwg75ydv-binutils-2.24 pvvizw77i06pjq7kv1iz57kl68xd7bnr-libxpm-3= .5.10 q6v9b91x3hcikmnf6s3vhjzpjdrkdp6y-texinfo-5.2 qca6ipcph0rx8fsmcbib1qph= qgv2rhl0-libxft-2.3.1 qfvvhq9m6jfsn7k9a4rzik3p6hmdq397-libx11-1.5.0 r26x0ib= xcg8h71j01dcyc27lpa7kc87f-patch-2.7.1 rrbw3d1dl4njp2nnb84x8mlnmhdcvfxp-libx= ml2-2.9.0 sw5gnvc1q14pyiw5d7xc47xcy942gsf5-gawk-4.1.0 v5wr09jhn17ami1k844r6= y6n3sy6y0kr-fontconfig-2.10.93 vkgwsi1vi2k91y22clf42z2qxydyxfbb-bzip2-1.0.6= vw8ipma5jgy2a5nczwh9bxsc99w67yy5-glib-2.39.1 wfppwmx7lsqm0hpachkzs90m0c1zq= xiv-ld-wrapper-0 wfrjbxjapgqb9pqnwck35r8kb9gj435i-harfbuzz-0.9.22 xa3hd1y4y= x0z18ya3zk2p6zlc0f2hr3g-libice-1.0.8 xhd2xdv16b64ajkdd7pbkklrq5fmn28i-bash-= 4.3 yagg8zjdz367qiwspm8ssgny47inrn8f-alsa-lib-1.0.27.1 yxaqk5vj602m6waasvrg= 30hm09ln501w-giflib-4.2.3 zjwc4x53rpim4j3hmspzpv0k3n4kgv0n-dbus-1.6.4 zysrg= zapv5vzjqrbcz2y3ksi9w651876-ncurses-5.9 Deriver: 2nbrvsf3g3xl3bwh3cfvb2rvwsc8n0kn-emacs-24.3.drv System: x86_64-linux Signature: 1;hydra.gnu.org;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyBwa2NzMSkK= ICAoaGFzaCBzaGEyNTYgI0EzM0UxOEI2QUU3QTZFNjEwN0I0MDQ2NjMxQkNGOTFBM0EwNTQwMTl= EQTA1NkI0NjA5MDg0QThDNTlBRjA1RjMjKQogICkKIChzaWctdmFsIAogIChyc2EgCiAgIChzIC= M2NzgzMjA2MzBBRTA3QkM2M0ZBRTQ5MkY2QkI0OEJGMTBBMDAwNThGRTY1OTE2NDgzQjZFNERBR= Dk2NTlBQzY0OTRFMjVCQzlEMUIwMTMzN0QxMEFDRTRFNDYyODI3OEI0ODVFMDM2NkU4Mzc3MzE3= QUM4M0ZGQkQ5NkU2MDJCRUZBOENBQTk4QzlBRDJCRTJDRjJCRjQ4QzYzQUVFNTFBNDNGMkJBM0Z= GNjI0NTc0NTU0NjJGNjY1Mjg2OTBBRkU3ODJCMEJBNjdDMjgxMkU5MjZGNzNCOEZEMzQyQTZDMz= gyNEZCNkFBQTBCQTk2RjhCM0FENjgzREQzOUU3ODNDQzI0MzQ2NjBGNjRFQTU5OUU4QkEwNkREM= TczM0RFQjc0QjM2OEUzMTIwMkI0NjZBOUEzOTc1ODM4Q0MzNjFDODlBMkQ0MzEzMzlDMjkxRkM3= Q0JBQzUzMDM4Qjg0MTE1MjZCMjU1NjE4MTBCQTEzRkJGMERERUFDM0E3MDJFOURCNTFENDQyNTQ= 1QjIzOTAxMzA4QjdBRjk2QUY3MTdBRTNGODBBNTk1MzNFMUJENUU2QTZBNzQ0NDJDRkIwNzFENT= M2RDYyODhDMkRCRURBNTlCOTEwMjVFRTRFMENERDU1NTEwOUIxM0YwQzhBRUY4MkNCOTZBRDlEM= kYzRjhFRjU4QzYxQUEwNzg0OUVEMkFEMDE2QkZCMjU0RDdDQTlEMTY2NkJFMDE3M0E0QzI4NkEy= OTdEM0ZFQ0MyNjdGMTUxQTdFMEREN0FDRjc3MDg1MjRFODk3NzgxMjU5Qzc5MUYyQjExNURBNUN= EMjU3RjE2QzJCREQwRDIyOUY2RDA4QkY0RjNCQjUzQjM2QjU5MjAzQzIxODkyQ0FCOUI2MUZGRk= VEREE1QjY3MEI0MDY5OTYxNzQ5Rjg2QUVGQzMzMjQ5RUQzNDQ3MjVGRDkyRkI0NzI1MzgxQkRFM= 0VENjIwQ0IwNDRGQjMyMjVGMkU3Q0I4ODdGNjVFRTgyMkNGNTg4ODMwMkRCMUY2RkNERTVCQkYx= MzAxNTczRTU0MTZCM0E3Q0FDODYyMkE2OUUwNTk5QjAyRDhBQUQwNDc1NENBMjcxOTdCMjkzNjI= zMTVCNTQ2RTg4NzhFRDc2REZBOTAyN0RGQjc0MkEzMDVBRkUwQjNDRTBGRjNCNEE3MUI1NTU5OD= IwMjM2OUFFMDY2MEZDNTU0QjYzQ0ZFQjRFRUU4MkU4RjZCMTFERDU5NUY3Rjg0NDI1RUExRkYyN= jU5Q0EyMkE3QUMzNDBCQTZGNjNDNzU2QzdCRUU4NTlCQzlDQTQ0RDk3OTc1QzYwMkMwRjk4MTRD= MUQ2QzczMDg3ODZEIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChyc2EgCiAgIChuICMwMER= CMTYzNEUzRDlERkFDOTdBRTQ3MzREQUU5NjhDQ0IxNUVFNDgxNUM4MkJEQzI1NDg4M0RCQjQ5Rk= UxRUYzMjI2OEU4MkQ0QkJFMEUzNTI5OEM0ODFDOURBMTU1MTY0MkZBRkYwNUFFQzFBNjA3MTJGM= UJCNEJFN0QyNUQ3RUZGN0E0Rjg5NzA0QTVBOUFDMjMyODcwQ0I5RjI0NzZDM0I1MzhBMEU5OTBB= ODgyNURFQjczMDgxRDMxNzAwMUZCOEExODg2MDBGMkZFRjVGNUY1NzBFODU3RjNFRTQzNTUwNzd= BM0MzOTE4RUQ3MjcyM0E1NkJBNTVDNDY2RDQwMDY1ODk3NEQ3REFEMUY2QjdCNjNDMTkyQjlDMj= cwNEQ5OEJCRkYxQzNCRDVCOEVGMTFBOEFEQzgzQUNCOEZEOEU5RjFFNzkyRkRBRDI2MjQxNUQxM= 0YyREVFNTVGMzMwOTA4Q0ZEQTlDM0M4QzMyQjY0RjdERDA4ODQ1N0QzNEY0NDVFMkUyQzgzQzZE= NjgwNTQ5REM5QjZFNjU3M0I4OTQ5NjU2NzIwNEVEMjg1RTY3QTI3OUYyRjY2NzA4MEJBOTQxRDg= wRDAxNUNFODdCMEZCNkE5MUE5OUNFQ0M3RDkxRDJEMjEwQjAwRTRCNkU2MTFEQTUxREIwMDhGMU= RGRTNGQ0FDNkIyNzM5M0ZBNzgxRDQ1RjlBMTVGQzdCODc4NUEzRTg2QkE2NTkyQjI5MTZDQTIyQ= 0YxRTQwRkM4NUY4NUNBQ0E1OTA0NjExNTRGNThGMzU4MEIxNjM5ODkwOEVGMzIwNzZGNDExMjk5= QzI4NzI3Qzk0RDg4QjZBNjE4Rjg0REQ3M0FFQkVEODI3MEJDQjY2OTA5MjhDQjFCRjI1MEMzNUU= xRjZCRjNCMUIzMEQwNUJBMjQ2RUNFOEY2OUQ5MDY1REUyNkY0QjNFMEQ4MTRENzBBOUMyN0NCNU= I3QjA1MEM5MDkwNTkwRDNBOUVGODMzNzRGMjY0M0U1NDQ2RkJEMzlEREIxMjREQkY2REZEQUE2R= DE4RTI1NjBBRDBDQkZBMTFDOTU5QzlCNzMxNkJGMTk5NjNBMTkxOTY3MDU0RTlGRDk3REMxNEQ3= MTA4MkIzMEIxQzkwQTQ2RTg5OTY2ODI0NzRDM0JDQjUxQkEwODgyOTU4ODk3QjZERDM1RTQxQjU= xNzREMEE2QkNERTk3Qjg5MDQzRTk1QkQxQjcwREU2MURBNjY2ODkzQjQxNzE5NkExODAwMDU0Nj= ZCQzNBNzQyRkRGMDRFODlCMDQ0NjBFM0U2QkM3MkU3RjFCNUZFQTVCMzA5MkZFRTU1MUEzQzQ0N= 0MxMkUxMDRFNjUjKQogICAoZSAjMDEwMDAxIykKICAgKQogICkKICkK --8<---------------cut here---------------end--------------->8--- The Signature line above is a base64-encoded canonical sexp signature (as for =E2=80=98guix archive=E2=80=99.) With Hydra now ready, I=E2=80=99ve done some testing with Nikita=E2=80=99s = cool work on adding support for authentication/authorization of signed binaries. Here=E2=80=99s a sample session, using the internal interface to =E2=80=98g= uix substitute-binary=E2=80=99, with wip-signed-archives: --8<---------------cut here---------------start------------->8--- $ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo= ./pre-inst-env guix substitute-binary --query $ sudo ./pre-inst-env guix substitute-binary --substitute /gnu/store/1j3w0v= vh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 foo guix substitute-binary: error: unauthorized public key $ cat hydra-key.pub | sudo guix archive --authorize $ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo= ./pre-inst-env guix substitute-binary --query /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 --8<---------------cut here---------------end--------------->8--- What we see here is that =E2=80=98has-substitutes?=E2=80=99 requests simply= return #f if a substitute is available but is invalid (lacks a signature, or has a wrong signature, or is signed by an unauthorized key.) =E2=80=98--substitu= te=E2=80=99 requests error out when that happens. Nikita: comments welcome on the two commits I just pushed in wip-signed-archives. I=E2=80=99ll try to add tests for that, but overall, it seems to be getting= into shape! Thanks, Ludo=E2=80=99.