[security] Substitutes fetched from server with no authorized key

  • Done
  • quality assurance status badge
Details
3 participants
  • Julien Lepiller
  • Ludovic Courtès
  • Pierre Neidhardt
Owner
unassigned
Submitted by
Pierre Neidhardt
Severity
normal
P
P
Pierre Neidhardt wrote on 17 Jun 2020 09:37
(address . bug-guix@gnu.org)
87k106nnwg.fsf@ambrevar.xyz
I could be doing something wrong, but...

1. Alice starts `guix publich -u ambrevar`.
2. Bob, who did _not_ authorize Alice's signing key:
- herd stop guix-daemon
- guix-daemon --build-users-grouop=guixbuild --substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
- guix build curl

Result:

Toggle snippet (3 lines)
downloading from http://10.0.0.4:8080/nar/gzip/...

Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.

Am I missing something or there is something really wrong?

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7pyD8ACgkQm9z0l6S7
zH8Cugf+IAlsX15YU7gqZcJny2L/3pUVxVrFgJe1tCZ7jWEdOZow+uGVSqUujYZ+
Exv4KMc4051Qp5twDXELUpPcT0pmx6jRFd8XHGNg5r9JFIIbeH+XaA/XFc9NPcIL
WWo/1vQbrTqfnx6mmlKIVGZu2kAHGqtnWJFcbGRGerVLJG2L7mFfsS7qz/UIyACv
z5IkNAO0NOsN/QoN5vvgy+fwxfQZZY17WV3nug0dheD1R5+4arZJ3IAQpbuq3uvp
rENfOd47/bOvCMVYgLKvAUXRHRcP6Kib05YrLH8wK29/sl65rnsAZmepiYHFxar+
YxfvPzmta+dNXdqg6tNgVQ81cKCGTQ==
=sw4u
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 17 Jun 2020 13:05
DDDA1FF9-4503-4547-BF17-CFA181DDD204@lepiller.eu
Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt <mail@ambrevar.xyz> a écrit :
Toggle quote (19 lines)
>I could be doing something wrong, but...
>
>1. Alice starts `guix publich -u ambrevar`.
>2. Bob, who did _not_ authorize Alice's signing key:
> - herd stop guix-daemon
>- guix-daemon --build-users-grouop=guixbuild
>--substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
> - guix build curl
>
>Result:
>
>--8<---------------cut here---------------start------------->8---
>downloading from http://10.0.0.4:8080/nar/gzip/...
>--8<---------------cut here---------------end--------------->8---
>
>Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.
>
>Am I missing something or there is something really wrong?

There are two ways that you can get substitutes from unauthorized servers:

Substitutes for fixed-output derivations: guix lredy knows the result, so it doesn't need a signature, it checks the result (not sure this is a thing)

Substitutes that are reproducible. If you have a narinfo from an authorized build farm for a package in your local cache and alice's publish server proposes the same (name and checksum) substitute, you can download it. This is definitely a thing.

Other than that, guix should not use alice's substitutes.
P
P
Pierre Neidhardt wrote on 17 Jun 2020 13:51
87h7v929m5.fsf@ambrevar.xyz
Oh, that makes sense!
This is very smart actually!

Thanks a lot for the explanation!

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7qA9IACgkQm9z0l6S7
zH+r3AgAqRIIiJc30UJ4XNyeOMKEIAKYCBSKNdKMccCirT8HimO03X7lH3BBczNJ
EtV2id3Hx1PEf42Da0pNp6C0j99rd+qCh4Eewy00OVCNJ+SAM6IBeljE8Psiz4dt
aQPlJdOFQhtnY6Fj34SlggUE6GbejJ2+ufp6NhXGjTIrBRti7ym6HbiiIhM+aML7
OGtuUqDurMVcMp+fW1BKGQQuqjevGWBlR/HoxSJq/sMFKXTQ7AC9zaUkC5pruBp8
3r5SbLLF7tG+NWOHFVq4ZJOo2cfNoJ9Q0OJx1ObTsyCL4GvLwJHIn2qMyWtXO1Zj
wpuDUD83ismy5F8KuGKAGpSZ9hPkOQ==
=J1n6
-----END PGP SIGNATURE-----

P
P
Pierre Neidhardt wrote on 17 Jun 2020 13:52
control message for bug #41907
(address . control@debbugs.gnu.org)
87ftat29lj.fsf@ambrevar.xyz
close 41907
quit
L
L
Ludovic Courtès wrote on 19 Jun 2020 22:51
(address . control@debbugs.gnu.org)
87eeqaeq47.fsf@gnu.org
tags 41907 + notabug
quit
?