all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Justus Winter <teythoon@avior.uberspace.de>
To: guix-devel@gnu.org
Subject: Securing the software distribution chain
Date: Thu, 23 Jul 2020 13:07:35 +0200	[thread overview]
Message-ID: <87blk6wkug.fsf@europa.jade-hamburg.de> (raw)

[-- Attachment #1: Type: text/plain, Size: 2919 bytes --]

Hello :)

doing some packaging lately I noticed a weak link in Guix'
authentication chain.  Artifacts downloaded by Guix are authenticated
using a hashsum included in the packaging definition, and 'guix
download' will compute this hashsum over artifacts, but the step of
authenticating the artifact is a manual one, mentioned in the
'Submitting Patches' checklist:

> Before submitting a patch that adds or modifies a package definition,
> please run through this check list:
>
> 1. If the authors of the packaged software provide a cryptographic
>    signature for the release tarball, make an effort to verify the
>    authenticity of the archive. For a detached GPG signature file this
>    would be done with the gpg --verify command.

For me, this is a tooling problem.  'guix download' should authenticate
the downloaded artifact before it computes and prints the hashsum.
There are two problems to solve: It needs to locate the signature, and
it has to know the set of cryptographic identities eligible to create
the signature.

For some transports, like git, locating the signatures is not a problem,
but for http, there is just no standard on where the detatched signature
is located, or even what data it is computed over (for example,
kernel.org signs the uncompressed tarball).

So I think two things need to happen before this step can be improved:
The package metadata should include the URL of the signature and a set
of cryptographic identities eligible for signing the artifact.


Thinking a bit more about having a hashsum as part of the packaging
definition, it seems to me that this is a bit of a modelling error.
Because there is no standardized way of authenticating a source
distribution, Guix defers this step to the packager.  And if there is no
way to authenticate an artifact (because upstream doesn't provide
signatures), we at least get TOFU, i.e. the assurance that any user
gets the same artifact as the packager.

This doesn't seem terribly problematic, but it doesn't support parts of
the artifact changing, because in this model, this cannot be
distinguished from an attack.  Is there a way an artifact may change in
a valid way that Guix (and other distributions) may want to support?

We believe there is.  We propose to solve the problem of locating the
signatures by bundling them with the source distribution.  Instead of
using a detached PGP signature, we want to distribute the source as a
signed PGP message.

Now, if you compute a hashsum over such an artifact, you are in effect
notarizing the signatures in the message and the message payload.  If
the developers add a signature to the message, the hashsum changes and
your notarization breaks.

The preferred way to support this is to not verify that the hashsum over
the artifact matches, but to verify the PGP signatures over the payload
using the set of eligible signing keys in the package metadata.


Thoughts?
Justus

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

             reply	other threads:[~2020-07-23 12:13 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-23 11:07 Justus Winter [this message]
2020-07-27 12:53 ` Securing the software distribution chain Ludovic Courtès
2020-07-27 18:13   ` zimoun
2020-07-31  9:20   ` Justus Winter
2020-08-24 14:36     ` Ludovic Courtès
2020-08-25 10:01       ` Efraim Flashner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87blk6wkug.fsf@europa.jade-hamburg.de \
    --to=teythoon@avior.uberspace.de \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.