From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: bug#34125: Installation script needs to be secured with a gpg
	signature
Date: Tue, 22 Jan 2019 08:18:09 +0100
Message-ID: <87womxcg9a.fsf@elephly.net>
References: <20190118162301.52eaeb12@alma-ubu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:60264)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1glqKt-0000Nc-HW
	for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1glqKs-0003hf-Jt
	for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:41431)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1glqKs-0003h5-7o
	for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1glqKr-0002PJ-Re
	for bug-guix@gnu.org; Tue, 22 Jan 2019 02:19:01 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.34125.B34125.15481415189223@debbugs.gnu.org>
In-reply-to: <20190118162301.52eaeb12@alma-ubu>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= <bjoern.hoefling@bjoernhoefling.de>
Cc: 34125@debbugs.gnu.org


Hi Bj=C3=B6rn,

> I was looking at the installation video from Laura (not yet public) and
> wondered about that:
>
> We just download the installation script:
>
> $ wget https://.../guix-install.sh
>
> Then we go on directly executing that script.
>
> Shouldn't that be save-garded by a PGP-signature too?

I don=E2=80=99t know.

> Because if it is not, the user could be tricked into a script that
> downloads a "bad" Guix installation tarball.

To avoid having the user tricked we use HTTPS.  At least the users will
know that this file comes from the official project website.

A user who is tricked into downloading a script from a malicious site
could just as well download a matching signature from somewhere else, so
the script body itself should be signed.  We can=E2=80=99t sign the whole f=
ile
because the first line must be the shebang =E2=80=94 unless we forgo the sh=
ebang
and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to execute it=
 with =E2=80=9Csudo
bash guix-install.sh=E2=80=9D.  =E2=80=9Cgpg --clear-sign=E2=80=9D adds a b=
lock of text before
and after the file, which would be a syntax error in a shell script.

We are probably stuck with having a separate signature file.  I don=E2=80=
=99t
know if it=E2=80=99s worth doing when HTTPS is used to fetch the script fro=
m an
authoritative source.

> That's what we are always
> criticising about others wget-scripts that install whatever to the user.

The criticism is aimed at =E2=80=9Ccurl | sudo bash=E2=80=9D instructions t=
hat execute
scripts off the Internet without prior inspection as root.

--
Ricardo