From: "Ludovic Courtès" <ludo@gnu.org>
To: pukkamustard <pukkamustard@posteo.net>
Cc: 53901@debbugs.gnu.org
Subject: [bug#53901] [PATCH] publish: Sign only normative narinfo fields.
Date: Thu, 10 Feb 2022 22:09:33 +0100 [thread overview]
Message-ID: <87v8xm2zua.fsf@gnu.org> (raw)
In-Reply-To: <8635kr84ge.fsf@posteo.net> (pukkamustard@posteo.net's message of "Thu, 10 Feb 2022 09:00:12 +0000")
Hi,
pukkamustard <pukkamustard@posteo.net> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> This will allow mirror operators to alter the non-normative bits of a
>> narinfo, such as nar URLs and compression methods, without requiring
>> them to resign narinfos.
>>
>> [...]
>>
>> Thoughts?
>
> Sounds good to me.
Thanks.
> Maybe we can take the opportunity to do some cleanup?
>
> For example: We could get rid of the narinfo-contents field as we only
> sign the fixed normative fields (in a strict order). This would also
> allow us to remove the verify-everything-above-signature logic.
At this point, the client (narinfo consumer) cannot assume that the
server signs only the normative part, and only in a specific order; this
would be a protocol change (in fact, with this patch, ‘guix publish’
actually also signs the ‘Deriver’ field although that’s not a normative
field; maybe I should take ‘Deriver’ out.)
So I’m afraid we cannot clean that up yet.
> I recently tripped over the narinfo verification logic
> (https://issues.guix.gnu.org/52555#43) and think the changes you propose
> plus the simplifications above should make this security-critical code a
> bit easier to understand.
To be fair, the relevant bit is ‘narinfo-sha256’, which is 18 lines.
That said, in hindsight, you’re right: it would have been wiser to (1)
enforce a canonical representation of narinfos, and (2) require
signatures on a specific and ordered set of normative fields.
The problem is that all the narinfos out there fail #2 so we’ll
necessarily have to wait before we can really get rid of the
verify-everything-above-signature logic.
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-02-10 21:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 17:52 [bug#53901] [PATCH] publish: Sign only normative narinfo fields Ludovic Courtès
2022-02-09 18:29 ` Christopher Baines
2022-02-09 21:49 ` Ludovic Courtès
2022-02-10 9:00 ` pukkamustard
2022-02-10 21:09 ` Ludovic Courtès [this message]
2022-02-11 10:30 ` pukkamustard
2022-02-14 10:29 ` bug#53901: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v8xm2zua.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=53901@debbugs.gnu.org \
--cc=pukkamustard@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.