[security] Substitutes fetched from server with no authorized key

DoneSubmitted by Pierre Neidhardt.
Details
3 participants
  • Julien Lepiller
  • Ludovic Courtès
  • Pierre Neidhardt
Owner
unassigned
Severity
normal
P
P
Pierre Neidhardt wrote on 17 Jun 2020 09:37
(address . bug-guix@gnu.org)
87k106nnwg.fsf@ambrevar.xyz
I could be doing something wrong, but...
1. Alice starts `guix publich -u ambrevar`.2. Bob, who did _not_ authorize Alice's signing key: - herd stop guix-daemon - guix-daemon --build-users-grouop=guixbuild --substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org' - guix build curl
Result:
Toggle snippet (3 lines)downloading from http://10.0.0.4:8080/nar/gzip/...
Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.
Am I missing something or there is something really wrong?
-- Pierre Neidhardthttps://ambrevar.xyz/
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7pyD8ACgkQm9z0l6S7zH8Cugf+IAlsX15YU7gqZcJny2L/3pUVxVrFgJe1tCZ7jWEdOZow+uGVSqUujYZ+Exv4KMc4051Qp5twDXELUpPcT0pmx6jRFd8XHGNg5r9JFIIbeH+XaA/XFc9NPcILWWo/1vQbrTqfnx6mmlKIVGZu2kAHGqtnWJFcbGRGerVLJG2L7mFfsS7qz/UIyACvz5IkNAO0NOsN/QoN5vvgy+fwxfQZZY17WV3nug0dheD1R5+4arZJ3IAQpbuq3uvprENfOd47/bOvCMVYgLKvAUXRHRcP6Kib05YrLH8wK29/sl65rnsAZmepiYHFxar+YxfvPzmta+dNXdqg6tNgVQ81cKCGTQ===sw4u-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 17 Jun 2020 13:05
DDDA1FF9-4503-4547-BF17-CFA181DDD204@lepiller.eu
Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt <mail@ambrevar.xyz> a écrit :
Toggle quote (19 lines)>I could be doing something wrong, but...>>1. Alice starts `guix publich -u ambrevar`.>2. Bob, who did _not_ authorize Alice's signing key:> - herd stop guix-daemon>- guix-daemon --build-users-grouop=guixbuild>--substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'> - guix build curl>>Result:>>--8<---------------cut here---------------start------------->8--->downloading from http://10.0.0.4:8080/nar/gzip/...>--8<---------------cut here---------------end--------------->8--->>Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.>>Am I missing something or there is something really wrong?
There are two ways that you can get substitutes from unauthorized servers:
Substitutes for fixed-output derivations: guix lredy knows the result, so it doesn't need a signature, it checks the result (not sure this is a thing)
Substitutes that are reproducible. If you have a narinfo from an authorized build farm for a package in your local cache and alice's publish server proposes the same (name and checksum) substitute, you can download it. This is definitely a thing.
Other than that, guix should not use alice's substitutes.
P
P
Pierre Neidhardt wrote on 17 Jun 2020 13:51
87h7v929m5.fsf@ambrevar.xyz
Oh, that makes sense!This is very smart actually!
Thanks a lot for the explanation!
-- Pierre Neidhardthttps://ambrevar.xyz/
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7qA9IACgkQm9z0l6S7zH+r3AgAqRIIiJc30UJ4XNyeOMKEIAKYCBSKNdKMccCirT8HimO03X7lH3BBczNJEtV2id3Hx1PEf42Da0pNp6C0j99rd+qCh4Eewy00OVCNJ+SAM6IBeljE8Psiz4dtaQPlJdOFQhtnY6Fj34SlggUE6GbejJ2+ufp6NhXGjTIrBRti7ym6HbiiIhM+aML7OGtuUqDurMVcMp+fW1BKGQQuqjevGWBlR/HoxSJq/sMFKXTQ7AC9zaUkC5pruBp83r5SbLLF7tG+NWOHFVq4ZJOo2cfNoJ9Q0OJx1ObTsyCL4GvLwJHIn2qMyWtXO1ZjwpuDUD83ismy5F8KuGKAGpSZ9hPkOQ===J1n6-----END PGP SIGNATURE-----
P
P
Pierre Neidhardt wrote on 17 Jun 2020 13:52
control message for bug #41907
(address . control@debbugs.gnu.org)
87ftat29lj.fsf@ambrevar.xyz
close 41907 quit
L
L
Ludovic Courtès wrote on 19 Jun 2020 22:51
(address . control@debbugs.gnu.org)
87eeqaeq47.fsf@gnu.org
tags 41907 + notabugquit
?