From: ludo@gnu.org (Ludovic Courtès)
To: Nikita Karetnikov <nikita@karetnikov.org>
Cc: guix-devel@gnu.org
Subject: Re: Signed archives
Date: Fri, 21 Feb 2014 22:17:29 +0100 [thread overview]
Message-ID: <87y514dv2u.fsf@gnu.org> (raw)
In-Reply-To: <87ppmigld8.fsf@karetnikov.org> (Nikita Karetnikov's message of "Thu, 20 Feb 2014 13:54:27 +0400")
[-- Attachment #1: Type: text/plain, Size: 2290 bytes --]
Hello,
Sorry for the delay!
Nikita Karetnikov <nikita@karetnikov.org> skribis:
> 1. Will hydra.gnu.org serve only signed .narinfo files?
Hydra (the software) can do both, but hydra.gnu.org will sign
everything.
> 2. If not, how can one opt out of verifying while using ‘guix
> substitute-binary’? Should we add an option to ‘guix package’ and
> ‘guix build’?
In general, I don’t think we’d want to opt out.
Technically there’s also the problem that substitute-binary is spawned
by the daemon, so we have no direct way to communicate with it.
> 3. How does a user get Hydra’s public key?
I imagine we could distribute it with Guix tarballs, in the repo, and
perhaps also on ftp.gnu.org GPG-signed by myself (say).
> 4. Will the entire cache be signed with a single key? (Mark, would you
> like to add something?)
(I think “cache” is ambiguous here.) All the archives served by Hydra
will be signed.
> 5. When do we want to verify the .narinfo file? Can it be done in
> ‘read-narinfo’?
I think so, yes, and raise an error if there’s a signature issue, as
done in ‘restore-file-set’, in nar.scm.
(IIRC what’s implemented in Hydra, only .narinfos are signed, and not
the archives themselves, right?)
> Similarly, should we sign and base64-encode in ‘write-narinfo’?
Currently ‘write-narinfo’ is used only internally, when populating the
local narinfo lookup cache. So there’s no need to sign things here (it
will be useful when we have an HTTP server that can publish archives
using the same protocol.)
However, the local lookup cache should probably keep the signatures it
got from hydra.gnu.org, unchanged. Thus, ‘write-narinfo’ should do the
right thing to preserve the ‘Signature’ field.
> 6. Where should ‘guix substitute-binary’ look for a keypair?
It should use ‘authorized-key?’ from (guix pki), which in turn loads the
ACL from $sysconfdir (info "(guix) Invoking guix archive").
> 7. How do we determine that a file is signed with a trusted key? What
> if we don’t have the needed public key? Does it mean we miss the
> right one, or is it a MITM attack?
‘authorized-key?’ will DTRT. :-)
HTH!
Ludo’.
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2014-02-21 21:17 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 14:13 ‘guix archive’ doesn’t work over ‘./pre-inst-env’ Nikita Karetnikov
2014-01-26 14:52 ` Ludovic Courtès
2014-01-26 16:09 ` Signed archives (was: ‘guix archive’ doesn’t work over ‘./pre-inst-env’) Nikita Karetnikov
2014-01-26 19:36 ` Signed archives Ludovic Courtès
2014-01-27 15:36 ` Nikita Karetnikov
2014-01-27 15:56 ` Ludovic Courtès
2014-02-03 10:45 ` Nikita Karetnikov
2014-02-04 13:12 ` Ludovic Courtès
2014-02-20 9:54 ` Nikita Karetnikov
2014-02-21 21:17 ` Ludovic Courtès [this message]
2014-02-27 20:48 ` Signed archives (preliminary patch) Nikita Karetnikov
2014-02-27 22:43 ` Ludovic Courtès
2014-02-28 9:21 ` Mark H Weaver
2014-02-28 10:37 ` Ludovic Courtès
2014-02-28 18:46 ` Nikita Karetnikov
2014-02-28 21:22 ` Nikita Karetnikov
2014-02-28 22:05 ` Ludovic Courtès
2014-03-03 22:54 ` Nikita Karetnikov
2014-03-04 21:59 ` Ludovic Courtès
2014-03-08 22:38 ` Nikita Karetnikov
2014-03-08 22:46 ` Nikita Karetnikov
2014-03-09 17:22 ` Ludovic Courtès
2014-03-09 22:35 ` Ludovic Courtès
2014-03-11 9:51 ` Nikita Karetnikov
2014-03-12 11:57 ` Nikita Karetnikov
2014-03-12 14:25 ` Ludovic Courtès
2014-03-12 23:37 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file. (was: Signed archives (preliminary patch)) Nikita Karetnikov
2014-03-13 21:38 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file Ludovic Courtès
2014-03-13 21:55 ` Nikita Karetnikov
2014-03-13 22:53 ` Ludovic Courtès
2014-03-15 12:24 ` Nikita Karetnikov
2014-03-31 21:54 ` Signed archives (preliminary patch) Ludovic Courtès
2014-02-21 22:10 ` Applying the GPG web-of-trust to Guix (was Re: Signed archives) Mark H Weaver
2014-02-21 23:10 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y514dv2u.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=nikita@karetnikov.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.