[PATCH] publish: Sign only normative narinfo fields.

  • Done
  • quality assurance status badge
Details
3 participants
  • Ludovic Courtès
  • Christopher Baines
  • pukkamustard
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 9 Feb 2022 18:52
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20220209175224.26851-1-ludo@gnu.org
This will allow mirror operators to alter the non-normative bits of a
narinfo, such as nar URLs and compression methods, without requiring
them to resign narinfos.

* guix/scripts/publish.scm (narinfo-string): Remove
URL/Compression/FileSize from BASE-INFO. Move them after "Signature".
* tests/publish.scm ("/*.narinfo")
("/*.narinfo with properly encoded '+' sign")
("/*.narinfo with lzip + gzip")
("with cache, lzip + gzip"): Adjust accordingly.
* tests/substitute.scm ("query narinfo with signature over relevant subset"):
New test.
---
guix/scripts/publish.scm | 29 +++++++++++--------
tests/publish.scm | 61 ++++++++++++++++++++++++----------------
tests/substitute.scm | 25 +++++++++++++++-
3 files changed, 77 insertions(+), 38 deletions(-)

Hello!

As discussed on IRC and on guix-sysadmin, narinfos currently produced
by ‘guix publish’ includes a signature that covers everything,
including “non-normative” bits such as nar URLs, compression method, etc.:

Toggle snippet (18 lines)
$ wget -qO - https://ci.guix.gnu.org/8fpk2cja3f07xls48jfnpgrzrljpqivr.narinfo
StorePath: /gnu/store/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
URL: nar/gzip/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
Compression: gzip
FileSize: 6337529
URL: nar/lzip/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
Compression: lzip
FileSize: 2533971
URL: nar/zstd/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
Compression: zstd
FileSize: 2767372
NarHash: sha256:0k0l1x5kxlsd83zg36z8kcwh3xpvfhkw8m1512vv9q2vi9c2lv2h
NarSize: 17180824
References: 094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib 5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33 8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32 a38k2v29l6l0iz6pmlk4dmzwdbvl10lq-acl-2.3.1 a7ggx0af69gv4k5mr1k617p4vy9kgx2v-libcap-2.62 fwbiihd2sbhai63y1pvvdh0f2bakfzrf-gmp-6.2.1 jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5.1
Deriver: y4qp5kiqg3xhgqyj67xav2ld81wpwsmw-coreutils-8.32.drv
Signature: 1;berlin.guix.gnu.org;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyByZmM2OTc5KQogIChoYXNoIHNoYTI1NiAjODQyQjU4MTY5NTEwNkExNUQyRTBDRTgzRDA0MjUxRUMzMDgzMTVCRUIyODQzRkVENkM1RkY0N0I0RjBFRTE5NSMpCiAgKQogKHNpZy12YWwgCiAgKGVjZHNhIAogICAociAjMEE5QUQxNkJDQUExREQ1NkRGRUQ4QTUwQUZBODNFQzlEOUVBNDdFQUVBQUU2OTFBQzk3NDdDNkQ4MDcyOEY5RiMpCiAgIChzICMwM0ZGM0Y3NzJFQkU5OUY2M0YzNTEzMUFBQkY0MUVENzBBRjUwRDE4Mzc2RTM1QzUwN0NEQUQwQUE4NjRFQTk5IykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChlY2MgCiAgIChjdXJ2ZSBFZDI1NTE5KQogICAocSAjOEQxNTZGMjk1RDI0QjBEOUE4NkZBNTc0MUE4NDBGRjJEMjRGNjBGN0I2QzQxMzQ4MTRBRDU1NjI1OTcxQjM5NCMpCiAgICkKICApCiApCg==

A consequence is that a mirror operator who’d like to, say,
remove some of the compression methods cannot do that, unless they
are in a position to resign narinfos.

This patch fixes it by computing the signature over the normative
fields only (plus the “Deriver” field, although it’s not strictly
necessary). The result looks like this:

Toggle snippet (11 lines)
$ wget -qO - http://localhost:9999/8fpk2cja3f07xls48jfnpgrzrljpqivr.narinfo
StorePath: /gnu/store/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
NarHash: sha256:0k0l1x5kxlsd83zg36z8kcwh3xpvfhkw8m1512vv9q2vi9c2lv2h
NarSize: 17180824
References: 094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib 5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33 8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32 a38k2v29l6l0iz6pmlk4dmzwdbvl10lq-acl-2.3.1 a7ggx0af69gv4k5mr1k617p4vy9kgx2v-libcap-2.62 fwbiihd2sbhai63y1pvvdh0f2bakfzrf-gmp-6.2.1 jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5.1
Deriver: y4qp5kiqg3xhgqyj67xav2ld81wpwsmw-coreutils-8.32.drv
Signature: 1;ribbon;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyByZmM2OTc5KQogIChoYXNoIHNoYTI1NiAjOEM1OUFEMjYzNEY4MDU3REI0NTUzQkMxM0RFRUM0QkQ2NDYwRDMzMzFDOEJBN0Q5MTgwOEI4QjdDQUFGMEREMCMpCiAgKQogKHNpZy12YWwgCiAgKGVjZHNhIAogICAociAjMEYxQkZDQUM3QzcyNEZERjU4QTA1REU4NTU5NkIyRTYxOEE4OTQ4QkJCMUQ2NEUzMkM4QUE3OTlFNEU0NEIzMCMpCiAgIChzICMwMUREMkU1RTZDRkQwNURGNkI2OEM2OUEwMERBRjU2QUUwMkQ5RTRDQ0E1QjQ3RUJBNUY1MzNCMTBBMDNBMzdBIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChlY2MgCiAgIChjdXJ2ZSBFZDI1NTE5KQogICAocSAjNDYwQzg2OEJGQkM2REI2Q0JEMTdDRUZGMjE1MkFCRENDNjdFRDg5MTk1MzE2MURCN0ZBODkyQ0JBM0MxM0IwRiMpCiAgICkKICApCiApCg==
URL: nar/gzip/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
Compression: gzip

Notice that URL/Compression come after the signature.

I added a test to ‘tests/substitute.scm’ to be entirely sure
that (guix narinfo) handles these correctly.

Thoughts?

Thanks,
Ludo’.

Toggle diff (217 lines)
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index 6e2b4368da..870dfc11e9 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2020 by Amar M. Singh <nly@disroot.org>
-;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com>
;;; Copyright © 2021 Mathieu Othacehe <othacehe@gnu.org>
@@ -345,20 +345,10 @@ (define* (narinfo-string store store-path
(base-info (format #f
"\
StorePath: ~a
-~{~a~}\
NarHash: sha256:~a
NarSize: ~d
References: ~a~%"
store-path
- (map (lambda (compression)
- (let ((size (assoc-ref file-sizes
- compression)))
- (store-item->recutils store-path
- #:file-size size
- #:nar-path nar-path
- #:compression
- compression)))
- compressions)
hash size references))
;; Do not render a "Deriver" line if we are rendering info for a
;; derivation. Also do not render a "System" line that would be
@@ -369,7 +359,22 @@ (define* (narinfo-string store store-path
base-info (basename deriver))))
(signature (base64-encode-string
(canonical-sexp->string (signed-string info)))))
- (format #f "~aSignature: 1;~a;~a~%" info (gethostname) signature)))
+ (format #f "~aSignature: 1;~a;~a~%~{~a~}"
+ info (gethostname) signature
+
+ ;; Move information about the actual nars
+ ;; (URL/Compression/FileSize) *after* the normative part that is
+ ;; signed. That makes it possible to alter these bits of the
+ ;; narinfo without having to resign them.
+ (map (lambda (compression)
+ (let ((size (assoc-ref file-sizes
+ compression)))
+ (store-item->recutils store-path
+ #:file-size size
+ #:nar-path nar-path
+ #:compression
+ compression)))
+ compressions))))
(define* (not-found request
#:key (phrase "Resource not found")
diff --git a/tests/publish.scm b/tests/publish.scm
index e3c27c5eea..47c5eabca0 100644
--- a/tests/publish.scm
+++ b/tests/publish.scm
@@ -142,15 +142,10 @@ (define %gzip-magic-bytes
(unsigned-info
(format #f
"StorePath: ~a
-URL: nar/~a
-Compression: none
-FileSize: ~a
NarHash: sha256:~a
NarSize: ~d
References: ~a~%"
%item
- (basename %item)
- (path-info-nar-size info)
(bytevector->nix-base32-string
(path-info-hash info))
(path-info-nar-size info)
@@ -159,8 +154,13 @@ (define %gzip-magic-bytes
(string->utf8
(canonical-sexp->string
(signed-string unsigned-info))))))
- (format #f "~aSignature: 1;~a;~a~%"
- unsigned-info (gethostname) signature))
+ (format #f "~aSignature: 1;~a;~a
+URL: nar/~a
+Compression: none
+FileSize: ~a\n"
+ unsigned-info (gethostname) signature
+ (basename %item)
+ (path-info-nar-size info)))
(utf8->string
(http-get-body
(publish-uri
@@ -173,15 +173,10 @@ (define %gzip-magic-bytes
(unsigned-info
(format #f
"StorePath: ~a
-URL: nar/~a
-Compression: none
-FileSize: ~a
NarHash: sha256:~a
NarSize: ~d
References: ~%"
item
- (uri-encode (basename item))
- (path-info-nar-size info)
(bytevector->nix-base32-string
(path-info-hash info))
(path-info-nar-size info)))
@@ -189,8 +184,13 @@ (define %gzip-magic-bytes
(string->utf8
(canonical-sexp->string
(signed-string unsigned-info))))))
- (format #f "~aSignature: 1;~a;~a~%"
- unsigned-info (gethostname) signature))
+ (format #f "~aSignature: 1;~a;~a
+URL: nar/~a
+Compression: none
+FileSize: ~a~%"
+ unsigned-info (gethostname) signature
+ (uri-encode (basename item))
+ (path-info-nar-size info)))
(let ((item (add-text-to-store %store "fake-gtk+" "Congrats!")))
(utf8->string
@@ -324,7 +324,12 @@ (define %gzip-magic-bytes
(part (store-path-hash-part %item))
(url (string-append base part ".narinfo"))
(body (http-get-port url)))
- (list (take (recutils->alist body) 5)
+ (list (filter (match-lambda
+ (("StorePath" . _) #t)
+ (("URL" . _) #t)
+ (("Compression" . _) #t)
+ (_ #f))
+ (recutils->alist body))
(response-code
(http-get (string-append base "nar/gzip/"
(basename %item))))
@@ -504,16 +509,22 @@ (define %gzip-magic-bytes
(basename %item))))
(and (file-exists? (nar "gzip"))
(file-exists? (nar "lzip"))
- (equal? (take (pk 'narinfo/gzip+lzip narinfo) 7)
- `(("StorePath" . ,%item)
- ("URL" . ,(nar-url "gzip"))
- ("Compression" . "gzip")
- ("FileSize" . ,(number->string
- (stat:size (stat (nar "gzip")))))
- ("URL" . ,(nar-url "lzip"))
- ("Compression" . "lzip")
- ("FileSize" . ,(number->string
- (stat:size (stat (nar "lzip")))))))
+ (match (pk 'narinfo/gzip+lzip narinfo)
+ ((("StorePath" . path)
+ _ ...
+ ("Signature" . _)
+ ("URL" . gzip-url)
+ ("Compression" . "gzip")
+ ("FileSize" . (= string->number gzip-size))
+ ("URL" . lzip-url)
+ ("Compression" . "lzip")
+ ("FileSize" . (= string->number lzip-size)))
+ (and (string=? gzip-url (nar-url "gzip"))
+ (string=? lzip-url (nar-url "lzip"))
+ (= gzip-size
+ (stat:size (stat (nar "gzip"))))
+ (= lzip-size
+ (stat:size (stat (nar "lzip")))))))
(list (response-code
(http-get (string-append base (nar-url "gzip"))))
(response-code
diff --git a/tests/substitute.scm b/tests/substitute.scm
index 21b513e1d8..049e6ba762 100644
--- a/tests/substitute.scm
+++ b/tests/substitute.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
-;;; Copyright © 2014, 2015, 2017, 2018, 2019, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014-2015, 2017-2019, 2021-2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -268,6 +268,29 @@ (define-syntax-rule (with-narinfo* narinfo directory body ...)
(lambda ()
(guix-substitute "--query")))))))))
+(test-equal "query narinfo with signature over relevant subset"
+ ;; The signature covers the StorePath/NarHash/References tuple, so it is
+ ;; valid; it does not cover non-normative fields, which is fine.
+ (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
+
+ (let ((prefix (string-append "StorePath: " (%store-prefix)
+ "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo
+NarHash: sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+References: bar baz\n")))
+ (with-narinfo (string-append prefix
+ "Signature: " (signature-field prefix) "
+URL: example.nar
+Compression: none
+NarSize: 42
+Deriver: " (%store-prefix) "/foo.drv")
+ (string-trim-both
+ (with-output-to-string
+ (lambda ()
+ (with-input-from-string (string-append "have " (%store-prefix)
+ "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
+ (lambda ()
+ (guix-substitute "--query")))))))))
+
(test-equal "query narinfo signed with authorized key"
(string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
--
2.34.0
C
C
Christopher Baines wrote on 9 Feb 2022 19:29
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53901@debbugs.gnu.org)
87leyjevpk.fsf@cbaines.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (8 lines)
> A consequence is that a mirror operator who’d like to, say,
> remove some of the compression methods cannot do that, unless they
> are in a position to resign narinfos.
>
> This patch fixes it by computing the signature over the normative
> fields only (plus the “Deriver” field, although it’s not strictly
> necessary). The result looks like this:

...

Toggle quote (7 lines)
> Notice that URL/Compression come after the signature.
>
> I added a test to ‘tests/substitute.scm’ to be entirely sure
> that (guix narinfo) handles these correctly.
>
> Thoughts?

This sounds good to me.

Going back to talk of enabling zstd substitutes on
bordeaux.guix.gnu.org, this approach will be really helpful, as it means
it's something the nar-herder can do, without needing the signing key.

Also, at some point, it would be good to move narinfo-string out to
(guix narinfo), which would allow for the build coordinator to use it,
rather than it's own implementation.

Thanks,

Chris
-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmIECPdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XfKBRAArkJsZv7aTEhIldKXMIE35huSmImC0ViN
K/Gsm8+p4zu/slKfY7+jaEV1+u4480Db54B67qswnvdoT2QX92Y5WBmoGaVtYV6s
MYdcjXZW9vXSGvzkyu+8BQFNs285jH7DZ4wqLger4u0gPj+OqqugokRn02ewZMYB
/uzyW6nbdEHfp34ynGy8QuUaeaZJuwpAUDl6vZTwbvPHCQIrTY5OxrTOOpbUS9Fn
LTXOpBimcVTmaMySr0kgOTZm0l2AqKSxi7+U7bUz2AOkfEsE4sJvk13RFJI8LE0Z
KQvPusFED5CjzUGEi3RIcN7CHrWFlMPak4JicW+IBCbi1ErtDlGBcJa+/me2MNsW
p2n66nIQ5TQtrh0+SI410SKS7Q7NkbvZGDcT8C8PB4jY44sc9Rm81ZMbsYepZF8c
zF0KCYEp95Vq9pwRDi6ibA5h7YCm8oStupxiAqRdAuP62yVOjpgibiLAIiP+X4YG
X4HvElY0ScWpEUQmeDboCGZi46vRU081OaEi2sjxRSDN1607ame305jLEKHwLkS0
MmzP3w2x+e7WUZvAMMLNWmtMpC4lr1ZHFSdXuvu0uIcY9Hw6Df7Ysz/QGgiHkCN3
+mg8BAw5/cq2YkMh2VN0lW54bvu+jrFglkHWzzoAuSP8AoGOR1/VTEH7UDskkY3f
lySIcqMNN3g=
=owb9
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 9 Feb 2022 22:49
Re: bug#53901: [PATCH] publish: Sign only normative narinfo fields.
(name . Christopher Baines)(address . mail@cbaines.net)(address . 53901@debbugs.gnu.org)
87a6ez7ls7.fsf_-_@gnu.org
Hi Chris,

Christopher Baines <mail@cbaines.net> skribis:

Toggle quote (2 lines)
> This sounds good to me.

Coolio.

Toggle quote (4 lines)
> Going back to talk of enabling zstd substitutes on
> bordeaux.guix.gnu.org, this approach will be really helpful, as it means
> it's something the nar-herder can do, without needing the signing key.

Yes, it’s much better this way. (And I think it’s important to provide
zstd substitutes for a good user experience.)

Toggle quote (4 lines)
> Also, at some point, it would be good to move narinfo-string out to
> (guix narinfo), which would allow for the build coordinator to use it,
> rather than it's own implementation.

So if it uses its own implementation, it won’t benefit from this patch
right directly, right?

Anyhow I agree, we should move ‘narinfo-string’ to (guix narinfo). I’ll
take a look if you don’t beat me at it! :-)

Thanks,
Ludo’.
P
P
pukkamustard wrote on 10 Feb 2022 10:00
Re: [bug#53901] [PATCH] publish: Sign only normative narinfo fields.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53901@debbugs.gnu.org)
8635kr84ge.fsf@posteo.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (8 lines)
> This will allow mirror operators to alter the non-normative bits of a
> narinfo, such as nar URLs and compression methods, without requiring
> them to resign narinfos.
>
> [...]
>
> Thoughts?

Sounds good to me.

Maybe we can take the opportunity to do some cleanup?

For example: We could get rid of the narinfo-contents field as we only
sign the fixed normative fields (in a strict order). This would also
allow us to remove the verify-everything-above-signature logic.

I recently tripped over the narinfo verification logic
(https://issues.guix.gnu.org/52555#43)and think the changes you propose
plus the simplifications above should make this security-critical code a
bit easier to understand.

-pukkamustard
L
L
Ludovic Courtès wrote on 10 Feb 2022 22:09
(name . pukkamustard)(address . pukkamustard@posteo.net)(address . 53901@debbugs.gnu.org)
87v8xm2zua.fsf@gnu.org
Hi,

pukkamustard <pukkamustard@posteo.net> skribis:

Toggle quote (12 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> This will allow mirror operators to alter the non-normative bits of a
>> narinfo, such as nar URLs and compression methods, without requiring
>> them to resign narinfos.
>>
>> [...]
>>
>> Thoughts?
>
> Sounds good to me.

Thanks.

Toggle quote (6 lines)
> Maybe we can take the opportunity to do some cleanup?
>
> For example: We could get rid of the narinfo-contents field as we only
> sign the fixed normative fields (in a strict order). This would also
> allow us to remove the verify-everything-above-signature logic.

At this point, the client (narinfo consumer) cannot assume that the
server signs only the normative part, and only in a specific order; this
would be a protocol change (in fact, with this patch, ‘guix publish’
actually also signs the ‘Deriver’ field although that’s not a normative
field; maybe I should take ‘Deriver’ out.)

So I’m afraid we cannot clean that up yet.

Toggle quote (5 lines)
> I recently tripped over the narinfo verification logic
> (https://issues.guix.gnu.org/52555#43) and think the changes you propose
> plus the simplifications above should make this security-critical code a
> bit easier to understand.

To be fair, the relevant bit is ‘narinfo-sha256’, which is 18 lines.

That said, in hindsight, you’re right: it would have been wiser to (1)
enforce a canonical representation of narinfos, and (2) require
signatures on a specific and ordered set of normative fields.

The problem is that all the narinfos out there fail #2 so we’ll
necessarily have to wait before we can really get rid of the
verify-everything-above-signature logic.

Thanks,
Ludo’.
P
P
pukkamustard wrote on 11 Feb 2022 11:30
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53901@debbugs.gnu.org)
86o83dvgh6.fsf@posteo.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (10 lines)
> [...]
>
> At this point, the client (narinfo consumer) cannot assume that the
> server signs only the normative part, and only in a specific order; this
> would be a protocol change (in fact, with this patch, ‘guix publish’
> actually also signs the ‘Deriver’ field although that’s not a normative
> field; maybe I should take ‘Deriver’ out.)
>
> So I’m afraid we cannot clean that up yet.

Ah, yes. I didn't think of the case where the server is older than the
client.

Thank you for your explanation!

-pukkamustard
L
L
Ludovic Courtès wrote on 14 Feb 2022 11:29
Re: bug#53901: [PATCH] publish: Sign only normative narinfo fields.
(address . 53901-done@debbugs.gnu.org)
8735klzqpl.fsf@gnu.org
Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (13 lines)
> This will allow mirror operators to alter the non-normative bits of a
> narinfo, such as nar URLs and compression methods, without requiring
> them to resign narinfos.
>
> * guix/scripts/publish.scm (narinfo-string): Remove
> URL/Compression/FileSize from BASE-INFO. Move them after "Signature".
> * tests/publish.scm ("/*.narinfo")
> ("/*.narinfo with properly encoded '+' sign")
> ("/*.narinfo with lzip + gzip")
> ("with cache, lzip + gzip"): Adjust accordingly.
> * tests/substitute.scm ("query narinfo with signature over relevant subset"):
> New test.

Pushed as 6adce1538d2df6fa2d68abc13ae94e2fa826d124 with a slightly
different commit log.

After this change, there are still non-normative fields being signed:
“NarSize”, and “Deriver”:

Toggle snippet (11 lines)
$ wget -qO - http://localhost:9999/8fpk2cja3f07xls48jfnpgrzrljpqivr.narinfo
StorePath: /gnu/store/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
NarHash: sha256:0k0l1x5kxlsd83zg36z8kcwh3xpvfhkw8m1512vv9q2vi9c2lv2h
NarSize: 17180824
References: 094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib 5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33 8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32 a38k2v29l6l0iz6pmlk4dmzwdbvl10lq-acl-2.3.1 a7ggx0af69gv4k5mr1k617p4vy9kgx2v-libcap-2.62 fwbiihd2sbhai63y1pvvdh0f2bakfzrf-gmp-6.2.1 jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5.1
Deriver: y4qp5kiqg3xhgqyj67xav2ld81wpwsmw-coreutils-8.32.drv
Signature: 1;ribbon;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyByZmM2OTc5KQogIChoYXNoIHNoYTI1NiAjOEM1OUFEMjYzNEY4MDU3REI0NTUzQkMxM0RFRUM0QkQ2NDYwRDMzMzFDOEJBN0Q5MTgwOEI4QjdDQUFGMEREMCMpCiAgKQogKHNpZy12YWwgCiAgKGVjZHNhIAogICAociAjMEYxQkZDQUM3QzcyNEZERjU4QTA1REU4NTU5NkIyRTYxOEE4OTQ4QkJCMUQ2NEUzMkM4QUE3OTlFNEU0NEIzMCMpCiAgIChzICMwMUREMkU1RTZDRkQwNURGNkI2OEM2OUEwMERBRjU2QUUwMkQ5RTRDQ0E1QjQ3RUJBNUY1MzNCMTBBMDNBMzdBIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChlY2MgCiAgIChjdXJ2ZSBFZDI1NTE5KQogICAocSAjNDYwQzg2OEJGQkM2REI2Q0JEMTdDRUZGMjE1MkFCRENDNjdFRDg5MTk1MzE2MURCN0ZBODkyQ0JBM0MxM0IwRiMpCiAgICkKICApCiApCg==
URL: nar/gzip/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32
Compression: gzip

As suggested during the discussion with pukkamustard, we can consider
taking them out as well, though I figured we’d rather do it separately.

Thanks,
Ludo’.
Closed
?