From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id KDwCOkLTQ181HQAA0tVLHw (envelope-from ) for ; Mon, 24 Aug 2020 14:48:34 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id LpTdNULTQ1/qSgAA1q6Kng (envelope-from ) for ; Mon, 24 Aug 2020 14:48:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 533BE940538 for ; Mon, 24 Aug 2020 14:48:34 +0000 (UTC) Received: from localhost ([::1]:39778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kADlx-0001qe-6o for larch@yhetil.org; Mon, 24 Aug 2020 10:48:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45802) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kADaE-0002Ix-Ie for guix-devel@gnu.org; Mon, 24 Aug 2020 10:36:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46094) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kADaD-0003zI-GG; Mon, 24 Aug 2020 10:36:25 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=41062 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kADaC-0007R2-8o; Mon, 24 Aug 2020 10:36:25 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Justus Winter Subject: Re: Securing the software distribution chain References: <87blk6wkug.fsf@europa.jade-hamburg.de> <87ime9w23i.fsf@gnu.org> <87lfj0ujkk.fsf@europa.jade-hamburg.de> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 8 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 24 Aug 2020 16:36:22 +0200 In-Reply-To: <87lfj0ujkk.fsf@europa.jade-hamburg.de> (Justus Winter's message of "Fri, 31 Jul 2020 11:20:43 +0200") Message-ID: <87blj02jrt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: Qxwe5grd/+Do Hi! Justus Winter skribis: > Ludovic Court=C3=A8s writes: [...] >> The idea of storing cryptographic metadata directly in has been >> discussed a few times: >> >> https://lists.gnu.org/archive/html/help-guix/2016-08/msg00132.html >> https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html >> https://git.savannah.gnu.org/cgit/guix.git/tree/TODO?id=3D6b8875c838d6= 37773813899b35a9b5ea4acfd146#n29 >> >> To me, the biggest shortcoming of this approach is if this metadata is >> primarily =E2=80=9Cornamental=E2=80=9D: if in practice, =E2=80=98guix bu= ild -S=E2=80=99 doesn=E2=80=99t use it >> (and it has no reason to use it), then that metadata is likely to become >> stale without anyone noticing. > > On the other hand, most packaging metadata is ornamental. There is no > way to tell if synopsis or description is up to date or correct. With > signing metadata there is a way to detect this, so I don't see how > tracking signing metadata is worse than tracking the description. [...] >> Of course we could have additional tools to make use of that info, say >> =E2=80=98guix build -S --authenticate=E2=80=99 or something. But that w= ould still be >> optional. > > Don't make it optional! Empower and encourage us downstream users to > verify upstream signatures and verify that the packager is honest, like > you empower us to build software and verify that the substitution > builder is honest. Fundamentally, users trust packagers: they run their code. Yet, making it easier for users to audit the work of packagers sounds like a good idea. I agree with the philosophy. I guess I poorly explained myself. To put it differently, there is no obvious place where signature verification fits here: the model is that Guix code itself is authentic, and thus all that matters is ensuring that we get the right content (checking the hash of origins). Signature metadata is =E2=80=9Csilent=E2=80=9D in that model. We can introduce signature verification in (guix download): every time code is downloaded and signature metadata is available, we verify its signature. Unfortunately, I=E2=80=99m afraid this is likely to lead to lot= s of false positives, and in particular failure to retrieve the OpenPGP key. WDYT? Where would you integrate that? >>> Thinking a bit more about having a hashsum as part of the packaging >>> definition, it seems to me that this is a bit of a modelling error. >>> Because there is no standardized way of authenticating a source >>> distribution, Guix defers this step to the packager. And if there is no >>> way to authenticate an artifact (because upstream doesn't provide >>> signatures), we at least get TOFU, i.e. the assurance that any user >>> gets the same artifact as the packager. >>> >>> This doesn't seem terribly problematic, but it doesn't support parts of >>> the artifact changing, because in this model, this cannot be >>> distinguished from an attack. Is there a way an artifact may change in >>> a valid way that Guix (and other distributions) may want to support? >> >> What do you mean? If, for example, a tarball is modified in-place >> upstream, it=E2=80=99s an error from Guix=E2=80=99 viewpoint. > > I mean that the tarball inside the OpenPGP message stays the same, but > we attach more signatures to the OpenPGP message over time. I see. We=E2=80=99ve only encountered detached signatures so far. >>> We believe there is. We propose to solve the problem of locating the >>> signatures by bundling them with the source distribution. Instead of >>> using a detached PGP signature, we want to distribute the source as a >>> signed PGP message. >>> >>> Now, if you compute a hashsum over such an artifact, you are in effect >>> notarizing the signatures in the message and the message payload. If >>> the developers add a signature to the message, the hashsum changes and >>> your notarization breaks. >>> >>> The preferred way to support this is to not verify that the hashsum over >>> the artifact matches, but to verify the PGP signatures over the payload >>> using the set of eligible signing keys in the package metadata. >> >> In practice, we don=E2=80=99t get to choose the authentication method. = You=E2=80=99re >> proposing a different authentication method here, but we=E2=80=99re just >> downstream: you=E2=80=99ll have to convince upstreams first. :-) > > Well, I'm a upstream, and this is your heads up that you are not > prepared to deal with our source distribution scheme of choice. And, > we're hoping to convince other projects to use our scheme as well. > > We've been talking about this problem internally, and we have concluded > that it is useful to be able to pin the source tarball to an exact > version as you do now. That is possible with our scheme by hashing only > the literal data of the signed OpenPGP message. That requires some > OpenPGP parsing, but guix/openpgp.scm should support that. (We =3D Sequoia-PGP, right?) It should be possible to use to support this scheme by implementing a new method for origins. We would still require the origin hash to be that of the extracted directory or tarball, which appropriate tooling could simplify. Thanks, Ludo=E2=80=99.