From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Signed archives Date: Fri, 21 Feb 2014 22:17:29 +0100 Message-ID: <87y514dv2u.fsf@gnu.org> References: <87txcqesqv.fsf@karetnikov.org> <87eh3ure1r.fsf@gnu.org> <87bnyyiv2u.fsf_-_@karetnikov.org> <87ha8qo7rl.fsf@gnu.org> <8761p5jv1g.fsf@karetnikov.org> <87r47tfmes.fsf@gnu.org> <8738k0pj8c.fsf@karetnikov.org> <874n4fnhs7.fsf@gnu.org> <87ppmigld8.fsf@karetnikov.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39274) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGxTZ-0004Mw-M6 for guix-devel@gnu.org; Fri, 21 Feb 2014 16:17:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGxTU-0007iw-8m for guix-devel@gnu.org; Fri, 21 Feb 2014 16:17:41 -0500 Received: from hera.aquilenet.fr ([2a01:474::1]:58378) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGxTT-0007hx-Qf for guix-devel@gnu.org; Fri, 21 Feb 2014 16:17:36 -0500 In-Reply-To: <87ppmigld8.fsf@karetnikov.org> (Nikita Karetnikov's message of "Thu, 20 Feb 2014 13:54:27 +0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Nikita Karetnikov Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Sorry for the delay! Nikita Karetnikov skribis: > 1. Will hydra.gnu.org serve only signed .narinfo files? Hydra (the software) can do both, but hydra.gnu.org will sign everything. > 2. If not, how can one opt out of verifying while using =E2=80=98guix > substitute-binary=E2=80=99? Should we add an option to =E2=80=98guix = package=E2=80=99 and > =E2=80=98guix build=E2=80=99? In general, I don=E2=80=99t think we=E2=80=99d want to opt out. Technically there=E2=80=99s also the problem that substitute-binary is spaw= ned by the daemon, so we have no direct way to communicate with it. > 3. How does a user get Hydra=E2=80=99s public key? I imagine we could distribute it with Guix tarballs, in the repo, and perhaps also on ftp.gnu.org GPG-signed by myself (say). > 4. Will the entire cache be signed with a single key? (Mark, would you > like to add something?) (I think =E2=80=9Ccache=E2=80=9D is ambiguous here.) All the archives serv= ed by Hydra will be signed. > 5. When do we want to verify the .narinfo file? Can it be done in > =E2=80=98read-narinfo=E2=80=99? I think so, yes, and raise an error if there=E2=80=99s a signature issue, as done in =E2=80=98restore-file-set=E2=80=99, in nar.scm. (IIRC what=E2=80=99s implemented in Hydra, only .narinfos are signed, and n= ot the archives themselves, right?) > Similarly, should we sign and base64-encode in =E2=80=98write-narinfo=E2= =80=99? Currently =E2=80=98write-narinfo=E2=80=99 is used only internally, when pop= ulating the local narinfo lookup cache. So there=E2=80=99s no need to sign things here= (it will be useful when we have an HTTP server that can publish archives using the same protocol.) However, the local lookup cache should probably keep the signatures it got from hydra.gnu.org, unchanged. Thus, =E2=80=98write-narinfo=E2=80=99 s= hould do the right thing to preserve the =E2=80=98Signature=E2=80=99 field. > 6. Where should =E2=80=98guix substitute-binary=E2=80=99 look for a keypa= ir? It should use =E2=80=98authorized-key?=E2=80=99 from (guix pki), which in t= urn loads the ACL from $sysconfdir (info "(guix) Invoking guix archive"). > 7. How do we determine that a file is signed with a trusted key? What > if we don=E2=80=99t have the needed public key? Does it mean we miss = the > right one, or is it a MITM attack? =E2=80=98authorized-key?=E2=80=99 will DTRT. :-) HTH! Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlMHwm0ACgkQd92V4upS7PQVhgCgivwaLYu91wFjEpZdFBRfDduc BOcAoKOjuRrzEY5mo6FzxFYKna4PosPX =lfhC -----END PGP SIGNATURE----- --=-=-=--