From: Maxime Devos <maximedevos@telenet.be>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 57910@debbugs.gnu.org, control@debbugs.gnu.org,
57909@debbugs.gnu.org, Emma Turner <em.turner@tutanota.com>
Subject: [bug#57909] bug#57910: [PATCH] Add link to 'pre-inst-env' from 'installing from git' docs
Date: Sat, 24 Sep 2022 18:23:10 +0200 [thread overview]
Message-ID: <ec49e6c2-a542-7d95-0d73-10b2816c59d2@telenet.be> (raw)
In-Reply-To: <87k05s7oii.fsf_-_@gnu.org>
[-- Attachment #1.1.1: Type: text/plain, Size: 2240 bytes --]
On 24-09-2022 17:58, Ludovic Courtès wrote:
> Hi,
>
> Maxime Devos<maximedevos@telenet.be> skribis:
>
>> As such, I think we really shouldn't recommend "make authenticate"
>> (and even remove "make authenticate". In fact, I think we should
>> remove "make authenticate" and replace the instructions with a direct
>> "guix git authenticate ...".
> “make authenticate” runs ‘guix git authenticate’ with the right
> parameters; importantly, it runs the already-installed ‘guix’, not the
> one in the build tree, so it’s safe (prepending “./pre-inst-env”
> wouldn’t be safe as you wrote).
>
> So I’m not sure we really need changes; WDYT?
While ordinarily, it is true that "make authenticate" runs "guix git
authenticate" (and not ./pre-inst-env guix git authenticate), an
attacker could have modified Makefile.am to _not_ call "guix git
authenticate", as I've explained in the paragraph above the one you quoted:
> The solution that was proposed [...]. __Even then, it remains
> insecure, as an attacker could have modified the "make authenticate",
> as explained in more detail at
> <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>.
More concretely, I've worked out a method the hypothetical attacker
could use the fact that "Makefile.am" is used before it is authenticated
in the message pointed to by the link I quoted:
https://logs.guix.gnu.org/guix/2022-09-14.log#172610 :
<maximed>civodul: Currently, it's like verifying the authenticity of a
gnupg tarball, by extracting the gnupg tarball, compiling it, and
running the freshly compiled gnupg tarball.
<antipode>Translated to Guix:
<antipode>(1) You run "git pull" (2) an attacker has intercepted the
network connection and modified Makefile.am's authenticate target to
always 'succeed'. Additionally, the attacker inserts some malicious code
somewhere (e.g. some code in Makefile.am to upload your GnuPG keys to
evil.com). To add some stealth, the modified Makefile.am automatically
reverts the malicious commit. (3) You run "make authenticate" as
recommended by the manual, and now the attacker has your private keys.
Do you see a flaw in this explanation?
Greetings,
Maxime.
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
next prev parent reply other threads:[~2022-09-24 16:24 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-18 11:47 [bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs Emma Turner via Guix-patches via
2022-09-18 12:41 ` [bug#57910] [PATCH] " Emma Turner via Guix-patches via
2022-09-19 9:37 ` Emma Turner via Guix-patches via
2022-09-18 14:59 ` bug#57909: Sorry - accidentally opened duplicate issues Emma Turner via Guix-patches via
2022-09-19 13:01 ` [bug#57909] " Maxime Devos
2022-09-18 17:26 ` [bug#57910] [bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs Maxime Devos
2022-09-18 18:53 ` Maxime Devos
2022-09-19 6:12 ` [bug#57910] " Emma Turner via Guix-patches via
2022-09-19 13:27 ` Maxime Devos
2022-09-24 15:58 ` [bug#57909] bug#57910: [PATCH] " Ludovic Courtès
2022-09-24 16:23 ` Maxime Devos [this message]
2022-09-25 20:05 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ec49e6c2-a542-7d95-0d73-10b2816c59d2@telenet.be \
--to=maximedevos@telenet.be \
--cc=57909@debbugs.gnu.org \
--cc=57910@debbugs.gnu.org \
--cc=control@debbugs.gnu.org \
--cc=em.turner@tutanota.com \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.