* [POSTMORTEM] Subkey is not authorized by .guix-authorizations @ 2022-08-11 14:26 Andrew Tropin 2022-08-11 15:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Andrew Tropin @ 2022-08-11 14:26 UTC (permalink / raw) To: guix-devel; +Cc: Tobias Geerinckx-Rice, Efraim Flashner, Ludovic Courtès [-- Attachment #1: Type: text/plain, Size: 1749 bytes --] * Summary On 2022-08-06 the commit 3946540[fn:1] was pushed and lead to failing guix pull: --8<---------------cut here---------------start------------->8--- guix pull: error: commit 39465409f0481f27d252ce25d2b02d3f5cbc6723 not signed by an authorized key: 2841 9AC6 5038 7440 C7E9 2FFA 2208 D209 58C1 DEB0 --8<---------------cut here---------------end--------------->8--- It was discovered and reported to IRC almost immediately by a few people. The commit itself was signed and benign[fn:2], but it was signed with subkey. While primary key was added to .guix-authorizations, guix pull still rejected commit signed with subkey. From the point commit pushed there is no easy way to recover guix pull. nckx contacted savannah admins and a few hours later master branch was reset to the state before 3946540 was pushed. * Impact - guix pull of latest commit from master branch couldn't be done for a few hours, the possible problem of such DoS is known[fn:3]. * What could be done better? - guix pull could be done from local checkout, before pushing. - First commit by a fresh commiter could be pushed on a weekday, after checking if maintainers and admins are present. * What to do after? - Accept subkey on guix pull if master key is in .guix-authorizations. - Add tip to Commit Access section about pull from local checkout. - Add pre-push hook, which checks authorization on Savannah. * Footnotes [fn:1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=39465409f0481f27d252ce25d2b02d3f5cbc6723 [fn:2] https://lists.gnu.org/archive/html/help-guix/2022-08/msg00073.html [fn:3] https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00156.html -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-08-11 14:26 [POSTMORTEM] Subkey is not authorized by .guix-authorizations Andrew Tropin @ 2022-08-11 15:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 2022-08-11 15:11 ` Maxime Devos 2022-09-02 13:23 ` Ludovic Courtès 2 siblings, 0 replies; 8+ messages in thread From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2022-08-11 15:09 UTC (permalink / raw) To: Guix Devel Hi, On Thu, Aug 11, 2022 at 7:27 AM Andrew Tropin <andrew@trop.in> wrote: > > Re: [POSTMORTEM] I have likewise used those words to describe concluding reports or to communicate lessons learned, but upon reflection I now prefer "incident summary" or "debrief". [1] Since both of my suggested replacements are associated with the military, they are also not great examples of favoring life over death, but at least the parties are not yet in the morgue, so there is hope. Long live Guix! Kind regards Felix Lechner [1] "debriefing strategies maximize ... the collective experience", https://en.wikipedia.org/wiki/Debriefing ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-08-11 14:26 [POSTMORTEM] Subkey is not authorized by .guix-authorizations Andrew Tropin 2022-08-11 15:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2022-08-11 15:11 ` Maxime Devos 2022-08-11 15:25 ` John Kehayias 2022-09-02 13:23 ` Ludovic Courtès 2 siblings, 1 reply; 8+ messages in thread From: Maxime Devos @ 2022-08-11 15:11 UTC (permalink / raw) To: Andrew Tropin, guix-devel Cc: Tobias Geerinckx-Rice, Efraim Flashner, Ludovic Courtès [-- Attachment #1.1.1: Type: text/plain, Size: 263 bytes --] On 11-08-2022 16:26, Andrew Tropin wrote: > * What to do after? > - Accept subkey on guix pull if master key is in .guix-authorizations. As I've now written on 57091, this would cause security problems with old or revoked keys. Greetings, Maxime. [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 929 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-08-11 15:11 ` Maxime Devos @ 2022-08-11 15:25 ` John Kehayias 0 siblings, 0 replies; 8+ messages in thread From: John Kehayias @ 2022-08-11 15:25 UTC (permalink / raw) To: Andrew Tropin Cc: guix-devel, Maxime Devos, Tobias Geerinckx-Rice, Efraim Flashner, Ludovic Courtès Hi everyone, Thanks for this write-up and discussion Andrew. I'm also following along in [0] but I'll just chime in here for now. When I saw this I was worried since I also "just" use subkeys, meaning for all signing etc. only my subkey is used. These are set to expire each year and then I renew them. For places like GitLab/Hub, this requires deleting the public key and re-adding it after I renew keys. Old commits still show as verified. Anyway, that's my basic usage and I was worried that I would break a (third party) Guix channel when I was added as a committer. Indeed, that is what just happened, with the same steps: my primary key fingerprint was added to .guix-authorizations. GitLab was happy enough verifying the (subkey signed) commits, and even Cuirass would get the commits and build them. (Side note: does Cuirass not do guix pull? Why would it not fail to pull just as a user?) All that is to say that I think the use case of someone only using subkeys is valid and one we could expect and should handle. Now, the correct and best way to do that, especially with things like time-travel, I don't know. I just wanted to note that I think only expecting the primary key (rather than subkeys) is limiting. Finally, as a concrete example of this usage, I manage my keys with a hardware key (YubiKey) and followed this [1] guide to setting up with subkeys that I renew regularly. The primary key isn't really used for much and I think this works well, all I manage is renewal every so often. [0] https://issues.guix.gnu.org/57091 [1] https://github.com/drduh/YubiKey-Guide John ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-08-11 14:26 [POSTMORTEM] Subkey is not authorized by .guix-authorizations Andrew Tropin 2022-08-11 15:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 2022-08-11 15:11 ` Maxime Devos @ 2022-09-02 13:23 ` Ludovic Courtès 2022-09-05 7:07 ` Andrew Tropin 2 siblings, 1 reply; 8+ messages in thread From: Ludovic Courtès @ 2022-09-02 13:23 UTC (permalink / raw) To: Andrew Tropin; +Cc: guix-devel, Tobias Geerinckx-Rice, Efraim Flashner Hello! I’m late to the party, but thanks a lot for sending this analysis! Andrew Tropin <andrew@trop.in> skribis: > * What could be done better? > - guix pull could be done from local checkout, before pushing. Setting a pre-push hook that invokes ‘guix git authenticate’, as recommended in the manual (info "(guix) Commit Access"), should be enough: ‘git push’ would just fail in that situation. > - Accept subkey on guix pull if master key is in .guix-authorizations. Reported at <https://issues.guix.gnu.org/57091>. > - Add pre-push hook, which checks authorization on Savannah. That one is difficult: Guix is not installed on those machines. Another option would be to push to a different machine, one that we control, and make Savannah a mirror of that one. Thoughts? Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-09-02 13:23 ` Ludovic Courtès @ 2022-09-05 7:07 ` Andrew Tropin 2022-09-05 9:53 ` Ludovic Courtès 0 siblings, 1 reply; 8+ messages in thread From: Andrew Tropin @ 2022-09-05 7:07 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel, Tobias Geerinckx-Rice, Efraim Flashner [-- Attachment #1.1: Type: text/plain, Size: 750 bytes --] On 2022-09-02 15:23, Ludovic Courtès wrote: > Hello! > > I’m late to the party, but thanks a lot for sending this analysis! > > Andrew Tropin <andrew@trop.in> skribis: > >> * What could be done better? >> - guix pull could be done from local checkout, before pushing. > > Setting a pre-push hook that invokes ‘guix git authenticate’, as > recommended in the manual (info "(guix) Commit Access"), should be > enough: ‘git push’ would just fail in that situation. For some reason I thought it does git verify-commit, which I used manually to check if commit is signed, but it does make authenticate, which of course works the other way. Missed it, my bad. I have elaborated on this topic a little more in the manual. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: 0001-doc-Add-more-info-about-commits-signature-local-veri.patch --] [-- Type: text/x-patch, Size: 1436 bytes --] From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001 From: Andrew Tropin <andrew@trop.in> Date: Mon, 5 Sep 2022 09:46:23 +0300 Subject: [PATCH] doc: Add more info about commits signature local verification. * doc/contributing.texi (Commit Access): Add more info about commits signature local verification. --- doc/contributing.texi | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/contributing.texi b/doc/contributing.texi index b1d236c011..17a54f94cc 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -1627,14 +1627,23 @@ git config commit.gpgsign true git config user.signingkey CABBA6EA1DC0FF33 @end example -You can prevent yourself from accidentally pushing unsigned commits to -Savannah by using the pre-push Git hook located at -@file{etc/git/pre-push}: +To check that commits are signed with correct key, use: + +@example +make authenticate +@end example + +You can prevent yourself from accidentally pushing unsigned or signed +with the wrong key commits to Savannah by using the pre-push Git hook +located at @file{etc/git/pre-push}: @example cp etc/git/pre-push .git/hooks/pre-push @end example +It additionally calls @code{make check-channel-news} to be sure +@file{news.scm} file is correct. + @subsection Commit Policy If you get commit access, please make sure to follow -- 2.37.2 [-- Attachment #1.3: Type: text/plain, Size: 640 bytes --] >> - Accept subkey on guix pull if master key is in .guix-authorizations. > > Reported at <https://issues.guix.gnu.org/57091>. > >> - Add pre-push hook, which checks authorization on Savannah. > > That one is difficult: Guix is not installed on those machines. > > Another option would be to push to a different machine, one that we > control, and make Savannah a mirror of that one. It can work, but looks fragile. > > Thoughts? Let's ask savannah admins if it possible to install guix on those machines and add pre-receive/update hook? If not, we will look for other options. -- Best regards, Andrew Tropin [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-09-05 7:07 ` Andrew Tropin @ 2022-09-05 9:53 ` Ludovic Courtès 2022-09-05 11:50 ` Tobias Geerinckx-Rice 0 siblings, 1 reply; 8+ messages in thread From: Ludovic Courtès @ 2022-09-05 9:53 UTC (permalink / raw) To: Andrew Tropin; +Cc: guix-devel, Tobias Geerinckx-Rice, Efraim Flashner Hi, Andrew Tropin <andrew@trop.in> skribis: >> Setting a pre-push hook that invokes ‘guix git authenticate’, as >> recommended in the manual (info "(guix) Commit Access"), should be >> enough: ‘git push’ would just fail in that situation. > > For some reason I thought it does git verify-commit, which I used > manually to check if commit is signed, but it does make authenticate, > which of course works the other way. Missed it, my bad. OK. > I have elaborated on this topic a little more in the manual. > > From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001 > From: Andrew Tropin <andrew@trop.in> > Date: Mon, 5 Sep 2022 09:46:23 +0300 > Subject: [PATCH] doc: Add more info about commits signature local > verification. > > * doc/contributing.texi (Commit Access): Add more info about commits signature > local verification. It’s certainly an improvement, LGTM! > Let's ask savannah admins if it possible to install guix on those > machines and add pre-receive/update hook? If not, we will look for > other options. I’m busy these days so I’d rather not commit to starting a discussion on this, but I’d suggest testing waters on #savannah on IRC. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations 2022-09-05 9:53 ` Ludovic Courtès @ 2022-09-05 11:50 ` Tobias Geerinckx-Rice 0 siblings, 0 replies; 8+ messages in thread From: Tobias Geerinckx-Rice @ 2022-09-05 11:50 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Andrew Tropin, guix-devel, Efraim Flashner [-- Attachment #1: Type: text/plain, Size: 578 bytes --] Ludovic Courtès 写道: > I’m busy these days so I’d rather not commit to starting a > discussion on > this, but I’d suggest testing waters on #savannah on IRC. They weren't wild about it. We'd be asking for a lot from their perspective. I haven't given up on convincing them otherwise, but an alternative approach would be to write a minimum viable verifier (the machine has Guile \o/ although it might need updating), and then just regularly pull the guix repository as (keyring) data, without executing any of its code. Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-09-05 12:29 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-08-11 14:26 [POSTMORTEM] Subkey is not authorized by .guix-authorizations Andrew Tropin 2022-08-11 15:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 2022-08-11 15:11 ` Maxime Devos 2022-08-11 15:25 ` John Kehayias 2022-09-02 13:23 ` Ludovic Courtès 2022-09-05 7:07 ` Andrew Tropin 2022-09-05 9:53 ` Ludovic Courtès 2022-09-05 11:50 ` Tobias Geerinckx-Rice
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.