… in which case the signature is expected to be computed over the emptystring (thus it’s the same for all the narinfos it serves.) The problem is that ‘guix substitute’ will accept such narinfos (whenthey are signed by an authorized key), even though the signature doesn’tcover the important parts (namely: StorePath, NarHash, and References;the rest is mostly informative.) A fix is attached with tests thatillustrate the problem.
I think the main consequence is repudiation: if you receive a narinfowhere the signature comes first, that doesn’t prove anything; the serveroperator could pretend it never sent it since in essence its contentsare unsigned. It’s not clear to me whether/how this could be exploited. Also keep in mind that this is limited to servers with a key present inthe user’s /etc/guix/acl (“trusted” servers.) In this context, serversare in a position to do more harm to the user anyway since they servesubstitutes. TIA,Ludo’. PS: Thanks to Leo and Ricardo for their quick feedback on the guix-security mailing list!
From eb6f7aa5e57185acbe100eb21abb300f0cfb264b Mon Sep 17 00:00:00 2001From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <email@example.com>Date: Thu, 13 Dec 2018 19:45:47 +0100Subject: [PATCH] DRAFT substitute: Ignore irrelevant narinfo signatures. Fixes XXX. Fixes a bug whereby 'guix substitute' would accept narinfos whosesignature did not cover the StorePath/NarHash/References tuple. * guix/scripts/substitute.scm (narinfo-sha256)[%mandatory-fields]: Newvariable.Compute SIGNED-FIELDS; return #f unless each of the %MANDATORY-FIELDSis among SIGNED-FIELDS. * tests/substitute.scm ("query narinfo with signature over nothing")("query narinfo with signature over irrelevant bits"): New tests.--- guix/scripts/substitute.scm | 13 ++++++++++-- tests/substitute.scm | 42 ++++++++++++++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 3 deletions(-)
Re: bug#33733: Irrelevant narinfo signatures are honored
(address . firstname.lastname@example.org)
Ludovic Courtès <email@example.com> skribis:
Toggle quote (6 lines)> The problem is that ‘guix substitute’ will accept such narinfos (when> they are signed by an authorized key), even though the signature doesn’t> cover the important parts (namely: StorePath, NarHash, and References;> the rest is mostly informative.) A fix is attached with tests that> illustrate the problem.
I pushed the fix as 60b04024f8823192b74c1ed5b14f318049865ac7 and anupdate of the ‘guix’ package as7ef64ec8476e9f13262d7755aff27c97dd2cd683. I encourage you to upgrade your daemon. Ludo’.