Re: New “guix refresh” command

[ludo@gnu.org (Ludovic Courtès)]

Nikita Karetnikov <nikita@karetnikov.org> skribis:

>> When downloading new tarballs, it also retrieves signatures and checks
>> them with GPG, via the new (guix gnupg) module.
>
> Could you point me to this part of the source code?  I fail to find it.

See ‘download-tarball’ in gnu-maintenance.scm.

>> If the public key is missing, it attempts to get it from keys.gnupg.net,
>> and tries again; in that case, the key is added to your keyring.
>
> I haven't tried the tool yet, but I'm suspicious.

Ah, I’m glad somebody chimes in.  ;-)

> First, what if the mirror is malicious but the key is there?  You'll
> fetch a malicious tarball and a malicious key.

Objects aren’t malicious.  Perhaps you’re talking about situations where
a mirror provides a tarball along with a valid signature, but said
signature is made with a random key, and the tarball is actually not
genuine, right?

First, note that ‘download-tarball’ fetches from ftp.gnu.org directly
(or ftp.gnupg.org, etc.), not from mirrors.

Second, this is the same model as used by the OpenSSH client.  When the
client is first introduced to a host, it presents you its key
fingerprint, you type ‘y’, and that key gets added to your known hosts
file.  From there on, person-in-the-middle attacks are trivially
detected as a key mismatch.

With this approach, introduction is the weak link.  It is mitigated by
the fact that, for instance, I’ve already imported and signed keys of
several GNU maintainers, and by common sense (manually checking the
signatures on a key, the tarball contents, etc.)  Also, keep in mind
that ‘guix refresh’ is primarily a maintainer’s tool.

It’s exactly what I would do manually.  What about you?

> Is it possible to use three mirrors to check keys and tarballs?

Check against what?  What do you want to address?

> I also think that one must always check keys manually (using similar
> pages [1]).  Maybe we should manually add fingerprints to a
> licenses.scm-like file and use it along with keys.gnupg.net.  It sounds
> tedious, but it'll be necessary only when you package something for the
> first time.  What do you think?

There’s the ftp.gnu.org/gnu/gnu-keyring.gpg file, which contains all the
keys ever allowed to sign GNU uploads.

But that file is itself currently unsigned.

Ideally (I think) that file would be signed, and the Guix repo would
contain the master key used to sign gnu-keyring.gpg.  From there, it
could fetch that keyring and authenticate it anytime, which in turn
could be used to authenticate GNU source tarballs, as needed for the
on-line auto-updater (see
<http://lists.gnu.org/archive/html/bug-guix/2013-03/msg00032.html>.)

This is similar to Debian’s approach, AIUI.

I’ve made this suggestion to one of the FSF sysadmins, but it seems to
need further discussion, and probably input from crypto-savvy people.

> It also bugs me that there are a lot of packages which are not signed at
> all.  I guess I'll start to ask maintainers to add signatures (at least
> for the future versions).  I hope you'll do the same.

All the packages on gnu{,pg}.org are signed.  I think very few GNU
packages are unsigned.

For non-GNU packages, the situation is not as good, and I agree we must
spread the word, but that won’t change overnight.

> Second, is there a way not to pollute my keyring with such keys or at
> least mark them somehow (for example, as not trusted)?

They are marked as such by default.

Problem is, I want to use my default keyring because it already contains
many keys that I signed.  So I don’t see how to accommodate both needs.

Thanks for sharing your thoughts and concerns!

Ludo’.