Right now, when a user does a "guix pull", that pulls down the latestrepository of code from git, which is kept in a tarball. Once youreceive the latest code, this has some checks: what's the hash of eachpackage, etc. Unfortunately, it's delivered over http: (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) At minimum we should deliver this over HTTPS, ideally with a singlecertificate that is trusted by the user, so the user can't be easilyMITM'ed. On top of that, even if you run from git proper what there isn't a testabout is: can you trust those latest commits? Git doesn't really check,at least by default. https://mikegerwitz.com/papers/git-horror-story How about this: anyone with commit access should use "signed off by" andgpg signatures combined. We should keep some list of guix committers'gpg keys. No commit should be pushed to guix without a gpg signature.At this point, at least, there is some possibility of auditing things. Perhaps before a master.tar.gz is made, there can be some integritycheck of the commits matching the current set of "trusted" keys?
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 22883@debbugs.gnu.org)
20160302192642.GA16774@jasmine
On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
Toggle quote (5 lines)> Right now, when a user does a "guix pull", that pulls down the latest> repository of code from git, which is kept in a tarball. Once you> receive the latest code, this has some checks: what's the hash of each> package, etc.
A discussion worth having. But, let's merge this bug intodebbugs.gnu.org/22629. Also, we should read "The Update Framework" asrequested there.
Toggle quote (28 lines)> > Unfortunately, it's delivered over http:> > (define %snapshot-url> ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"> "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"> )> > At minimum we should deliver this over HTTPS, ideally with a single> certificate that is trusted by the user, so the user can't be easily> MITM'ed.> > On top of that, even if you run from git proper what there isn't a test> about is: can you trust those latest commits? Git doesn't really check,> at least by default.> > https://mikegerwitz.com/papers/git-horror-story> > How about this: anyone with commit access should use "signed off by" and> gpg signatures combined. We should keep some list of guix committers'> gpg keys. No commit should be pushed to guix without a gpg signature.> At this point, at least, there is some possibility of auditing things.> > Perhaps before a master.tar.gz is made, there can be some integrity> check of the commits matching the current set of "trusted" keys?> > >
(name . Leo Famulari)(address . leo@famulari.name)(address . 22883@debbugs.gnu.org)
878u20si6f.fsf@dustycloud.org
Leo Famulari writes:
Toggle quote (9 lines)> On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:>> Right now, when a user does a "guix pull", that pulls down the latest>> repository of code from git, which is kept in a tarball. Once you>> receive the latest code, this has some checks: what's the hash of each>> package, etc.>> A discussion worth having. But, let's merge this bug into> debbugs.gnu.org/22629.
I'm not sure they should be merged, though they're related. That threaddoesn't deal at all with security, though it provides some other goodideas. It even says: PS: I do not mention the issue of authenticating code here, which is obviously very important and deserves to be treated separately. However I have no objections to merging them if others think we should
Toggle quote (2 lines)> Also, we should read "The Update Framework" as requested there.
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 22883@debbugs.gnu.org)
87h9ep8gxk.fsf@gnu.org
Hello! Christopher Allan Webber <cwebber@dustycloud.org> skribis:
Toggle quote (11 lines)> On top of that, even if you run from git proper what there isn't a test> about is: can you trust those latest commits? Git doesn't really check,> at least by default.>> https://mikegerwitz.com/papers/git-horror-story>> How about this: anyone with commit access should use "signed off by" and> gpg signatures combined. We should keep some list of guix committers'> gpg keys. No commit should be pushed to guix without a gpg signature.> At this point, at least, there is some possibility of auditing things.
To make progress on this front, I’ve decided to start signing all mycommits, so:
I invite everyone to do the same. Hopefully, within a few weeks, we canadd a commit hook to reject unsigned commits. Note that we’ll be signing patches we push on behalf of contributors whodo not have commit access (reviewer’s responsibility). Also, rebasing, amending, and cherry-picking code signed by someone elsewould lose the original signature, which isn’t great and should beavoided, if possible. What remains to be seen, among other things, is how we’ll maintain akeyring of the committers, and how we’ll distribute it to users of ‘guixpull’; the TUF spec has clever ideas about it, but we need to see howthey map to our setup. Thoughts? Ludo’.
On Tue, Apr 26, 2016 at 12:25:11AM +0200, Ludovic Courtès wrote:
Toggle quote (28 lines)> Hello!> > Christopher Allan Webber <cwebber@dustycloud.org> skribis:> > > On top of that, even if you run from git proper what there isn't a test> > about is: can you trust those latest commits? Git doesn't really check,> > at least by default.> >> > https://mikegerwitz.com/papers/git-horror-story> >> > How about this: anyone with commit access should use "signed off by" and> > gpg signatures combined. We should keep some list of guix committers'> > gpg keys. No commit should be pushed to guix without a gpg signature.> > At this point, at least, there is some possibility of auditing things.> > To make progress on this front, I’ve decided to start signing all my> commits, so:> > --8<---------------cut here---------------start------------->8---> $ git config commit.gpgsign> true> $ git config --global user.signingkey> 090B11993D9AEBB5> --8<---------------cut here---------------end--------------->8---> > I invite everyone to do the same. Hopefully, within a few weeks, we can> add a commit hook to reject unsigned commits.
Okay.
Toggle quote (7 lines)> Note that we’ll be signing patches we push on behalf of contributors who> do not have commit access (reviewer’s responsibility).> > Also, rebasing, amending, and cherry-picking code signed by someone else> would lose the original signature, which isn’t great and should be> avoided, if possible.
I think it's common to make minor edits when committing on behalf ofothers. For example, the committer might clean up a commit message orstandardize indentation. How should we handle this?
On Mon, Apr 25, 2016 at 8:13 PM, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (6 lines)> I think it's common to make minor edits when committing on behalf of> others. For example, the committer might clean up a commit message or> standardize indentation.>> How should we handle this?
You would sign the commit yourself if you are committing on behalf ofsomeone else. - Dave
Toggle quote (11 lines)> On Mon, Apr 25, 2016 at 8:13 PM, Leo Famulari <leo@famulari.name> wrote:>>> I think it's common to make minor edits when committing on behalf of>> others. For example, the committer might clean up a commit message or>> standardize indentation.>>>> How should we handle this?>> You would sign the commit yourself if you are committing on behalf of> someone else.
Right. The (minor) issue I was referring to arises when one committermassages signed commits from another committer. Ludo’.
(name . Leo Famulari)(address . leo@famulari.name)
874majg0z8.fsf@gnu.org
Hey, guys. Chris mentioned this thread to me. I'm happy to see thediscussion! Chris: unfortunately, my `mml-secure-openpgp-encrypt-to-self` flagsomehow got unset when I sent you my reply, so I can't read my ownmessage. But I'll rewrite some of it here. On Mon, Apr 25, 2016 at 20:13:59 -0400, Leo Famulari wrote:
Toggle quote (13 lines)>> Note that we’ll be signing patches we push on behalf of contributors who>> do not have commit access (reviewer’s responsibility).>> >> Also, rebasing, amending, and cherry-picking code signed by someone else>> would lose the original signature, which isn’t great and should be>> avoided, if possible.>> I think it's common to make minor edits when committing on behalf of> others. For example, the committer might clean up a commit message or> standardize indentation.>> How should we handle this?
You don't. One of the core purposes of digital signatures is to ensure integrity ofthe signed data: if I submit a patch, I don't want someone elsemodifying it and saying it was my own, or saying it was modified withoutsupplying a diff; that'd be a misrepresentation; a horror storyalmost. ;) The question is for what purpose you're signing commits. Chrismentioned trust, but that can come in a few different forms. Signaturesensure: - Authentication: whether the commit came from a trusted source; - Integrity: assurance that the commit has not been modified; and - Non-repudiation of origin: the signer cannot deny signing it. If you only care about authentication, then it doesn't matter if thesignature is retained---it only matters that the person who eventuallysigns off on the commit is trusted. In that case, just sign it. If it's integrity, then make another commit that changes theoriginal. I recommend this regardless, for the reason I stated above;just branch, apply their commits, your change, and merge. For non-repudiation assurances, you'll need to keep the originalsignature as well. This might be useful, say, in the case of issueswith copyright assignments---maybe an employer holds copyright on thecode and the employee claims he/she isn't the person that actuallysubmitted it. All of this subject to the usual crypo-caveats (no compromised privatekey, yadda yadda). Now, what is being signed isn't actually the code---it's the contents ofthe commit object, which includes a SHA-1 hash of the tree, parentcommit(s), author, committer, timestamp, and commit message:
My point with this[*] is that the GPG signature you receive isn'tmeaningful in the case of a rebase---if it signed blobs or a diff, maybeit would be. But since rebasing will eventually cause the GPG-signedcommit to be GC'd (unless there's a ref to it), you can't modify thecommit and just reference the old diff with the original signature. More details in a discussion with Whonix here: https://web.archive.org/web/20150619232904/https://www.whonix.org/forum/index.php?topic=538.msg4278#msg4278 So if you do want to clean up or squash GPG-signed changes fromcontributors, or do other rebasing, then I'd either push back and tellthem to do it, or maybe have them send GPG-signed _patches_ to a publicmailing list where it can be permanently archived; then everyone can seethe original.
[*] SHA-1 was never intended to be used as a security measure inGit---nor should it be; SHA-1 is effectively broken with thedemonstration of a freestart collision last year (where the attackercontrols the IV; but it's only a matter of time). So if a collision canbe found for any of those signed SHA-1 hashes---or any hashes theyreference---_that actually makes sense to Git and humans_, then yoursignature will still be perfectly valid. But distribution archives arealso GPG-signed, so Git will never be the only place of reference. I need to update my article, but I'm essentially saying that it's reallyhard to have strong cryptographic assurances with Git even with signedcommits---that attack surface is simply too large, as I mentioned in theWhonix discussion. Realistically, it's extremely unlikely thatsomething will ever happen, but until Git switches to a secure hashalgorithm (...har har), don't expect full integrity. If you're usingsignatures for authorization primarily, then you don't really need toworry. -- Mike GerwitzFree Software Hacker | GNU Maintainer & Volunteerhttps://mikegerwitz.comFSF Member #5804 | GPG Key ID: 0x8EE30EAB
Please, for the love of all/any gods!(if any)Fix this issue :)For example, you can get this https to work: https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz(it doesn't currently) $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz--2016-05-15 15:32:15-- https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gzResolving git.savannah.gnu.org... 208.118.235.72Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocolUnable to establish SSL connection. Chromium says:This site can’t provide a secure connection git.savannah.gnu.org sent an invalid response.Learn more about this problem.ERR_SSL_PROTOCOL_ERROR This works just fine though: https://savannah.gnu.org/and https://gnu.org/and https://www.gnu.org/ As a reminder, letsencrypt and startssl are a thing - both provide free certs. If that's the issue. But I presume there must be another reason why there's no https, therefore would you please consider hosting it somewhere like github? or if github isn't inline with GNU(for whatever reasons, eg. license), then surely notabug.org is(according to libreboot which recommends it instead of github)! Please, pretty please, consider it. At the very least you could host a mirror/clone there(if not make it the permanent home of the repo.) and someone(a dev) could push to both without even having two remotes(ie. just the origin remote with two push urls is okay); so when push-ing, both savannah and notabug would get updated(see below how), and thus we(the users) could use the notabug link to get master.tar.gz which would then be https.It would be something like this:https://https://notabug.org/guixuser/guix/archive/master.tar.gz(so it's .gz not .xz, is that worse than serving it over plain http?)I would actually recommend github for increased reliability, but whatever! As long as it's not served over http anymore! Or find some way of signing it? that's going to be harder than this! Here's how to have two push refs in the same remote(origin):Suppose that thisgit remove -v showshows this:origin https://github.com/gorhill/uMatrix.git(fetch)origin https://github.com/gorhill/uMatrix.git(push)Then to add another push url to the same origin remote, you'd do:re-add the already existing push url(from above):git remote set-url --add --push origin https://github.com/gorhill/uMatrix.gitnow, thisgit remote -v showwould show no changes!and now add the new one:git remote set-url --add --push origin git@notabug.org:somethingelse/uMatrix.gitand now, thisgit remote -v showwould show:origin https://github.com/gorhill/uMatrix.git(fetch)origin https://github.com/gorhill/uMatrix.git(push)origin git@notabug.org:somethingelse/uMatrix.git (push) So when you do 'git push', it will push to both (so it will prompt for your ssh key password twice). Of course for you the 'https://' urls from above would be 'git@' instead! (they just happen to be https for me, since I don't have push access) I want to be honest here: this bug is a show stopper for me! It makes me draw certain unfavorable conclusions about the mentality and seriousness of the guix project devs. I wish it wouldn't, but really can you blame me? I want to use guix but not until something's done about this so that MITM is unlikely to happen here. At the very least let me pull this over https, please! If you use notabug.org then not only we(the users) can get/clone the git repo over https, but we can also get/clone it over ssh! (instead of over just plain git://). So that'd be two rabbits in one shot! Please let me know if anything is going to be done about this, so that I would know what to do next: wait or move on. No hard feels. Presumably any direct answer would be better than no answer, so that I would know what to do, rather than waste time waiting for an answer...Thank you and I appreciate your time in reading all this! -signed, an idiot. ;-) #whohasselfesteemamirite
On Sun, May 15, 2016 at 8:40 AM, <fluxboks@openmailbox.org> wrote:
Toggle quote (27 lines)> Please, for the love of all/any gods!(if any)> Fix this issue :)> For example, you can get this https to work:> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz> (it doesn't currently)>> $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz> --2016-05-15 15:32:15--> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz> Resolving git.savannah.gnu.org... 208.118.235.72> Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol> Unable to establish SSL connection.>> Chromium says:> This site can’t provide a secure connection>> git.savannah.gnu.org sent an invalid response.> Learn more about this problem.> ERR_SSL_PROTOCOL_ERROR>> This works just fine though: https://savannah.gnu.org/ and https://gnu.org/> and https://www.gnu.org/>> As a reminder, letsencrypt and startssl are a thing - both provide free> certs. If that's the issue.
We *DO NOT* run Savannah, the FSF does. Savannah absolutely shouldallow cloning Git repositories over HTTPS, but we are the wrong peopleto complain to about it. You can send a polite message tosysadmin@gnu.org instead.
Toggle quote (4 lines)> I want to be honest here: this bug is a show stopper for me! It makes me> draw certain unfavorable conclusions about the mentality and seriousness of> the guix project devs. I wish it wouldn't, but really can you blame me?
Yes, I can. I think you should re-evaluate your conclusions. All ofour official release tarballs are GPG signed, we have begun signingall of our commits, all of our package recipes validate checksums forthe source code they download, and we patch CVEs in a pretty timelymanner for a such a small core team. I can assure you that we arevery serious about security. I recommend simply not using 'guix pull'right now until we have something more trustable, which we are workingon! This is beta software written by volunteers. The problem will besolved quicker with some more hands to help. Would you like to joinin? - Dave
Toggle quote (2 lines)> But I presume there must be another reason why there's no https,
HTTPS is not the alpha and omega of security. At best, it providesconfidentiality and allows users to authenticate the server (somecertificate authorities are corrupt though, so there’s a risk.) Once you’ve authenticated the server, you still haven’t authenticatedthe code, which is what you’re really interested in as a user. So this is what this issue is about, and I agree it needs to be fixedASAP. Your contributions are very welcome, too! :-) Ludo’.
Discussion of TUF in the context of Git checkout authentication
(address . 22883@debbugs.gnu.org)
87a8j4hn5h.fsf_-_@gnu.org
Hello! Here are some (somewhat unstructured!) thoughts about what it means todeliver secure updates to Guix users, and how The Update Framework (TUF)and related ideas can help us. To summarize, the problem we’re trying to solve is the “secure” updateof Git checkouts. That’s because Guix is a set of recipes and code thatis delivered to users/developers using Git. More specifically, we share most of the security goals listed inSections 1.5.2 and 1.5.3 of the TUF spec¹. TUF is biased towards repositories of binary packages and associatedmeta-data, whereas we’re (1) using Git, and (2) concerned with sourcecode authentication. Thus, some of the goals in 1.5.2 are notapplicable, as we will see, and some of the roles in 2.1 are notapplicable either. The OPAM folks came up with a variant of TUF² that takes advantage ofthe fact that the OPAM package repository is in a Git repo³ (this designis not currently used by opam-repository, AFAICS). Their scheme usesdetached signature files for package meta-data instead of signedcommits; thus, it is not concerned with Git checkout authentication ingeneral, but with the authentication of individual files in the repo(see the discussion of “target files” below). Yet, there are good ideasapplicable to our Git repo, such as the ‘signed’ tag created by a“signature bot” and that clients can use to check whether they get thelatest version of opam-repository. The Qubes folks have their own process⁴, not inspired by TUF. They pushsigned Git tags (instead of signing commits), with roughly one signedtag every time a bunch of commits is pushed⁵. AIUI, Qubes uses theOpenPGP web of trust to determine which keys are authorized keys: a keysigned by the Qubes master key is considered authorized. IMO this is amisuse of OpenPGP, where a signature on a key is a statement of trust in(certification of) the key/email and possibly key/name bindings⁶, andhas nothing to do with authorization. At the very least, it’s clear that: 1. Guix clients, whether ‘guix pull’ or ‘git pull’, must be able to authenticate the history of their checkout; this is why we started signing commits. 2. We must use a mechanism such as the ‘signed’ Git tag described in the OPAM document so that clients can know what the latest Guix commit is. 3. We must follow the key management practices developed in TUF. Let’s go back to the “goals for specific attacks to protect against” inSection 1.5.2 of the TUF spec, and see how they apply to thedistribution of Guix’s source tree: 1. “Rollback attacks. Attackers should not be able to trick clients into installing software that is older than that which the client previously knew to be available.” As explained in the OPAM document, Git gives us linearity guarantees (‘git pull’ makes sure we move forward), so clients can be sure they move forward in Guix history. We expect clients to authenticate the Git history, making sure all the commits are signed by authorized Guix committers. To perform such an attack, an attacker would need to get access to the private key of one of the authorized committers. We can probably consider it beyond the scope of our threat model, because at this point, the attacker could do anything (like the 2nd paragraph of TUF Section 2.2 suggests) and the version string of packages is really a detail. 2. “Indefinite freeze attacks. Attackers should not be able to respond to client requests with the same, outdated metadata without the client being aware of the problem.” 3. “Endless data attacks” and “Slow retrieval attacks” seem to be beyond the scope of our interests here; TUF does not seem to address them either. 4. “Extraneous dependencies attacks. Attackers should not be able to cause clients to download or install software dependencies that are not the intended dependencies.” Not applicable: we’re distributing a Git source tree, not build artifacts. 5. “Mix-and-match attacks. Attackers should not be able to trick clients into using a combination of metadata that never existed together on the repository at the same time.” Not applicable, for the same reaons. 6. “Malicious repository mirrors should not be able to prevent updates from good mirrors.” Clients should check the age of the ‘signed’ tag, and thus detect outdated mirrors. Section 2 of the TUF spec defines the notion of “target files” anddiscusses roles and the PKI. “Target files” are defined as files distributed by the system ascommonly found in “traditional” package repos (e.g., binary packages andassociated meta-data); they are the unit of authenticable data. In Guix we want to authenticate whole checkouts, so the notion of“target file” seems to make little sense. For instance, it wouldn’tmake sense to sign each gnu/packages/*.scm file individually, becausethe meaning of these files depends not only on the surrounding files,but also on the core of Guix, such as the (guix packages) module, whichdefines the very notion of “package”. The PKI and roles described in TUF, with separate responsibilities andthe ability to delegate, make a lot of sense (it’s similar in spirit toSPKI⁷, but more limited in scope.) Some of the roles do not seem to beapplicable to secure Git update delivery: • the “targets” role is not applicable, at least not to individual source files; • the “snapshot” role does not seem applicable (a Git commit *is* a complete snapshot); the “timestamp” role, though, corresponds to the signature bot described in the OPAM document; • the optional “mirrors” role doesn’t seem very useful, as acknowledged by Section 2.1.5 of the TUF spec. With that in mind, we now need to see how to map the relevant bits ofTUF to Guix! Comments welcome! Ludo’. ¹ https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt² http://opam.ocaml.org/blog/Signing-the-opam-repository/³ https://github.com/ocaml/opam-repository⁴ https://www.qubes-os.org/doc/verifying-signatures/⁵ See for example all the ‘mm_XXX’ tags athttps://github.com/QubesOS/qubes-core-agent-linux/releases.⁶ https://tools.ietf.org/html/rfc4880#section-5.2⁷ http://theworld.com/~cme/spki.txt
Hello! So we sign Git commits, and now we want to authenticate Git checkouts.There’s a series of bad news. First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ andthere’s no way to set it globally. Second, even if it did, it would be a shallow check: as Mike notes inhttps://mikegerwitz.com/papers/git-horror-story with the ‘signchk’script, you actually have to traverse the whole commit history andauthenticate them one by one. But that’s OK, it runs in presumably lessthan a minute on a repo the size of Guix’s, and we could also stop atsigned tags to avoid redundant checks. Third, as I wrote before¹, relying on the OpenPGP web of trust todetermine whether a commit is “valid” is inappropriate: what we want toknow is whether a commit was made by an authorized person, not whetherit was made by someone who happens to have an OpenPGP key directly orindirectly certified. IOW, we want to know whether the key used to signthe commit is among the authorized developer keys. Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,so if we want to do something different than just ‘gpg --verify’, wehave to put some other ‘gpg’ script in $PATH. Blech. Fifth, even if we did that, we’d be stuck parsing the possibly l10n’doutput of ‘gpg’. Pretty fragile. Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based onthe CHICKEN bindings², easy! Well no, it turns out that libgit2³ has nosupport for signed commits (the ‘signature’ abstraction there hasnothing to do with OpenPGP signatures.) Seventh, even if it did, what would we do with the raw ASCII-armoredOpenPGP signature? GPG and GPGME are waaaay too high-level, so we’dneed to implement OpenPGP (in Guile, maybe based on the OpenPGP libraryin Bigloo?)?!
I hope I’m just being negative and I missed an obvious solution or madewrong hypotheses. Please tell me! :-)
On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote:
Toggle quote (8 lines)> Hello!> > So we sign Git commits, and now we want to authenticate Git checkouts.> There’s a series of bad news.> > First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and> there’s no way to set it globally.
Since Git already has the git-verify-commit tool, I bet we couldconvince the Git project to implement this as a repo configurationoption. Even better if we brought a patch :)
Toggle quote (7 lines)> Second, even if it did, it would be a shallow check: as Mike notes in> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’> script, you actually have to traverse the whole commit history and> authenticate them one by one. But that’s OK, it runs in presumably less> than a minute on a repo the size of Guix’s, and we could also stop at> signed tags to avoid redundant checks.
That doesn't sound so bad.
Toggle quote (7 lines)> Third, as I wrote before¹, relying on the OpenPGP web of trust to> determine whether a commit is “valid” is inappropriate: what we want to> know is whether a commit was made by an authorized person, not whether> it was made by someone who happens to have an OpenPGP key directly or> indirectly certified. IOW, we want to know whether the key used to sign> the commit is among the authorized developer keys.
So, we need some sort of Guix keyring system, right? We'd have to verifythat a signature was made with an authorized key, and then validate thesignature itself? Now it's getting complicated...
Toggle quote (7 lines)> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,> so if we want to do something different than just ‘gpg --verify’, we> have to put some other ‘gpg’ script in $PATH. Blech.> > Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d> output of ‘gpg’. Pretty fragile.
According to the man pages gpg(1) and gpg2(1), the value "1" is returnedif a signature check fails, and there are "other error codes for fatalerrors". If these return values are consistent across GPG versions,maybe they provide enough information for us. Return values are a lot easier to parse than stdout / stderr, in myexperience. If we want to go down this path, we should figure out what we'd want todo with GPG besides `gpg --verify`.
Toggle quote (5 lines)> Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on> the CHICKEN bindings², easy! Well no, it turns out that libgit2³ has no> support for signed commits (the ‘signature’ abstraction there has> nothing to do with OpenPGP signatures.)
Ludo: On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote:
Toggle quote (3 lines)> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and> there’s no way to set it globally.
That's unfortunate. Does your checkout scenario include a fresh clone?If so, a pull flag wouldn't help there. Leo mentioned a patch; I don't think that'd be too difficult (looking atother config options in builtin/pull.c), and would be a great idea. Itappears to pass it off to merge.c; that might be a useful area to verifysignatures as well (pull being a fetch && merge/rebase), in a generalsense.
Toggle quote (7 lines)> Second, even if it did, it would be a shallow check: as Mike notes in> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’> script, you actually have to traverse the whole commit history and> authenticate them one by one. But that’s OK, it runs in presumably less> than a minute on a repo the size of Guix’s, and we could also stop at> signed tags to avoid redundant checks.
Practically speaking, that's probably fine, though note that a signedtag is just a signed hash of the commit it points to (with somemetadata), so you're trusting the integrity of SHA-1 and nothingmore. With that said, the tag points to what will hopefully be a signedcommit, so if you verify the signature of the tag _and_ that commit,that'd be even better. Git's use of SHA-1 makes cryptographicassurances difficult/awkward. An occasional traversal of the entire DAG by, say, a CI script wouldprovide some pretty good confidence. I wouldn't say it's necessary forevery pull.
Toggle quote (6 lines)> Third, as I wrote before¹, relying on the OpenPGP web of trust to> determine whether a commit is “valid” is inappropriate: what we want to> know is whether a commit was made by an authorized person, not whether> it was made by someone who happens to have an OpenPGP key directly or> indirectly certified.
If you want to keep with the convenience of the web of trust, then youcan have a keyring trusting only the appropriate Guixhackers. Otherwise, I agree.
Toggle quote (4 lines)> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,> so if we want to do something different than just ‘gpg --verify’, we> have to put some other ‘gpg’ script in $PATH. Blech.
What types of things are you considering? Or are you just consideringthe possibility? I agree that it is awkward. At the same time, making it configurable(in the git sense) can potentially be very dangerous, because amalicious script (e.g. configure) could just modify it to a noop(e.g. `true`) and circumvent signature checks.
Toggle quote (3 lines)> Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d> output of ‘gpg’. Pretty fragile.
In the log output? You could use --pretty and %G*. Otherwise, yesparsing GPG's output seems dangerous; surely there's a better way (likeLeo mentioned).
Toggle quote (4 lines)> Well no, it turns out that libgit2³ has no support for signed commits> (the ‘signature’ abstraction there has nothing to do with OpenPGP> signatures.)
!? D: That's more concerning from a community mindset standpoint than anything.
Toggle quote (5 lines)> Seventh, even if it did, what would we do with the raw ASCII-armored> OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library> in Bigloo?)?!
What about gpgme/libgcrypt?[*]
Toggle quote (5 lines)> I stumbled upon git-lockup⁴, which uses something other than OpenPGP to> sign objects in Git. However, signatures are not stored in commits but> rather in “git notes”, which, IIUC, are mutable objects detached from> the rest of the object store, so not great.
It seems a bit over-complicated. Without reading much into it, itdoesn't strike me as much different than a detached signature, but theproblem is that the signature (as you implied) can just bedeleted. Git's commit/tag signatures are embedded in the actualobject. git-lockup also seems to hash "(branch,commitid) pairs", whichsigns considerably less data than Git's signature would (unless itactually signs the full object, not a string referencing it).
I'll have to read over your first reference (your message) and itsreferences; now I'm curious.
[*]: I was actually considering writing an FFI for libgcrypt (if itdoesn't exist already), but it made me uncomfortable without studyingwhether Guile can make assurances that pointer-referenced data in"secure" memory will never be copied anywhere else. I was going tobring it up in the near future on the guile mailing list after I didsome research myself; no need to derail the discussion here. -- Mike GerwitzFree Software Hacker+Activist | GNU Maintainer & Volunteerhttps://mikegerwitz.comFSF Member #5804 | GPG Key ID: 0x8EE30EAB
(name . Leo Famulari)(address . leo@famulari.name)
87inxp2p22.fsf@inria.fr
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (13 lines)> On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote:>> Hello!>> >> So we sign Git commits, and now we want to authenticate Git checkouts.>> There’s a series of bad news.>> >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and>> there’s no way to set it globally.>> Since Git already has the git-verify-commit tool, I bet we could> convince the Git project to implement this as a repo configuration> option. Even better if we brought a patch :)
Sure. :-)
Toggle quote (11 lines)>> Third, as I wrote before¹, relying on the OpenPGP web of trust to>> determine whether a commit is “valid” is inappropriate: what we want to>> know is whether a commit was made by an authorized person, not whether>> it was made by someone who happens to have an OpenPGP key directly or>> indirectly certified. IOW, we want to know whether the key used to sign>> the commit is among the authorized developer keys.>> So, we need some sort of Guix keyring system, right? We'd have to verify> that a signature was made with an authorized key, and then validate the> signature itself? Now it's getting complicated...
Fundamentally, it’s very simple. It’s just that OpenPGP is not designedto do this, and GPG doesn’t help with such uses.
Toggle quote (12 lines)>> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,>> so if we want to do something different than just ‘gpg --verify’, we>> have to put some other ‘gpg’ script in $PATH. Blech.>> >> Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d>> output of ‘gpg’. Pretty fragile.>> According to the man pages gpg(1) and gpg2(1), the value "1" is returned> if a signature check fails, and there are "other error codes for fatal> errors". If these return values are consistent across GPG versions,> maybe they provide enough information for us.
The problem is the meaning of a “signature failure.” We need todistinguish between the cases that appear in ‘signature-case’: http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pki.scm#n179 The ‘gpg’ command hardly helps with that, plus a signature is considered“valid” if it’s made by someone “trusted” in the sense of the WoT. Ludo’.
Toggle quote (13 lines)> On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote:>> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and>> there’s no way to set it globally.>> That's unfortunate. Does your checkout scenario include a fresh clone?> If so, a pull flag wouldn't help there.>> Leo mentioned a patch; I don't think that'd be too difficult (looking at> other config options in builtin/pull.c), and would be a great idea. It> appears to pass it off to merge.c; that might be a useful area to verify> signatures as well (pull being a fetch && merge/rebase), in a general> sense.
Yeah, it wouldn’t be too hard to add to Git proper, I think, but wecan even live without it initially.
Toggle quote (21 lines)>> Second, even if it did, it would be a shallow check: as Mike notes in>> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’>> script, you actually have to traverse the whole commit history and>> authenticate them one by one. But that’s OK, it runs in presumably less>> than a minute on a repo the size of Guix’s, and we could also stop at>> signed tags to avoid redundant checks.>> Practically speaking, that's probably fine, though note that a signed> tag is just a signed hash of the commit it points to (with some> metadata), so you're trusting the integrity of SHA-1 and nothing> more.>> With that said, the tag points to what will hopefully be a signed> commit, so if you verify the signature of the tag _and_ that commit,> that'd be even better. Git's use of SHA-1 makes cryptographic> assurances difficult/awkward.>> An occasional traversal of the entire DAG by, say, a CI script would> provide some pretty good confidence. I wouldn't say it's necessary for> every pull.
Agreed.
Toggle quote (10 lines)>> Third, as I wrote before¹, relying on the OpenPGP web of trust to>> determine whether a commit is “valid” is inappropriate: what we want to>> know is whether a commit was made by an authorized person, not whether>> it was made by someone who happens to have an OpenPGP key directly or>> indirectly certified.>> If you want to keep with the convenience of the web of trust, then you> can have a keyring trusting only the appropriate Guix> hackers. Otherwise, I agree.
Toggle quote (6 lines)>> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,>> so if we want to do something different than just ‘gpg --verify’, we>> have to put some other ‘gpg’ script in $PATH. Blech.>> What types of things are you considering?
Something as simple as this:
Toggle snippet (6 lines)$ git config gpg.program 'gpgv --keyring /dev/null'$ git verify-commit HEADerror: cannot run gpgv --keyring /dev/null: No such file or directoryerror: could not run gpg.
:-/
Toggle quote (7 lines)>> Seventh, even if it did, what would we do with the raw ASCII-armored>> OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d>> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library>> in Bigloo?)?!>> What about gpgme/libgcrypt?[*]
I believe, but haven’t checked carefully, that GPGME is too high-level;libgcrypt is too low-level (it does not implement OpenPGP.)
Toggle quote (7 lines)> [*]: I was actually considering writing an FFI for libgcrypt (if it> doesn't exist already), but it made me uncomfortable without studying> whether Guile can make assurances that pointer-referenced data in> "secure" memory will never be copied anywhere else. I was going to> bring it up in the near future on the guile mailing list after I did> some research myself; no need to derail the discussion here.
Hi, Ludo' asked us to send some comments on how to verify git commits. Ionly had time to quickly browse the mail thread. I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alreadmoved to name gpg2 gpg) because we once wrote it for Debian. It has thesimplest semantics and thus best fits your purpose. We use it in GnuPGitself for the speedo build system; it is sufficent to run this simplescript:
Toggle snippet (6 lines) if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then echo "list of software versions is not valid!" >&2 exit 1 fi
In all other context I would suggest the use of GPGME to verifysignatures, because GPGME also evaluates the trust and all the statusline gpg spits out. There are no issues with l10n because _all_ scripts SHOULD use gpg withthe options --status-fd and --with-colons. That output creates a welldefined API and we try very hard never to break it. Mike Gerwitz's article is a bit long read right now. I have neverlooked into git to check whether git correctly calls gpg to verifysignatures. That should eventually be done. And yes, please sign yourcommits (I use an Ed25519 key stored on a Gnuk token; which works verywell).
On Sat, Jun 04, 2016 at 13:17:53 +0200, Ludovic Courtès wrote:
Toggle quote (8 lines)> We have incomplete libgcrypt bindings:>> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm>> This is used for the authentication of substitutes:>> https://www.gnu.org/software/guix/manual/html_node/Substitutes.html
Oh, excellent; I'm not sure if I would have come across that. I shouldpoke around Guix a bit more and see all the goodies that everyone hascreated. Thanks. -- Mike GerwitzFree Software Hacker+Activist | GNU Maintainer & Volunteerhttps://mikegerwitz.comFSF Member #5804 | GPG Key ID: 0x8EE30EAB
On 2016-06-04(01:17:53+0200), Ludovic Courtès wrote:
Toggle quote (110 lines)> Hi!>> Mike Gerwitz <mtg@gnu.org> skribis:>> > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote:> >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and> >> there’s no way to set it globally.> >> > That's unfortunate. Does your checkout scenario include a fresh clone?> > If so, a pull flag wouldn't help there.> >> > Leo mentioned a patch; I don't think that'd be too difficult (looking at> > other config options in builtin/pull.c), and would be a great idea. It> > appears to pass it off to merge.c; that might be a useful area to verify> > signatures as well (pull being a fetch && merge/rebase), in a general> > sense.>> Yeah, it wouldn’t be too hard to add to Git proper, I think, but we> can even live without it initially.>> >> Second, even if it did, it would be a shallow check: as Mike notes in> >> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’> >> script, you actually have to traverse the whole commit history and> >> authenticate them one by one. But that’s OK, it runs in presumably less> >> than a minute on a repo the size of Guix’s, and we could also stop at> >> signed tags to avoid redundant checks.> >> > Practically speaking, that's probably fine, though note that a signed> > tag is just a signed hash of the commit it points to (with some> > metadata), so you're trusting the integrity of SHA-1 and nothing> > more.> >> > With that said, the tag points to what will hopefully be a signed> > commit, so if you verify the signature of the tag _and_ that commit,> > that'd be even better. Git's use of SHA-1 makes cryptographic> > assurances difficult/awkward.> >> > An occasional traversal of the entire DAG by, say, a CI script would> > provide some pretty good confidence. I wouldn't say it's necessary for> > every pull.>> Agreed.>> >> Third, as I wrote before¹, relying on the OpenPGP web of trust to> >> determine whether a commit is “valid” is inappropriate: what we want to> >> know is whether a commit was made by an authorized person, not whether> >> it was made by someone who happens to have an OpenPGP key directly or> >> indirectly certified.> >> > If you want to keep with the convenience of the web of trust, then you> > can have a keyring trusting only the appropriate Guix> > hackers. Otherwise, I agree.>> Oh right, we could do something like:>> gpgv --keyring guix-developers.keyring foo>> (I realize GSRC uses this idiom already when authenticating source> tarballs:> <http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L217>.)>> >> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,> >> so if we want to do something different than just ‘gpg --verify’, we> >> have to put some other ‘gpg’ script in $PATH. Blech.> >> > What types of things are you considering?>> Something as simple as this:>> --8<---------------cut here---------------start------------->8---> $ git config gpg.program 'gpgv --keyring /dev/null'> $ git verify-commit HEAD> error: cannot run gpgv --keyring /dev/null: No such file or directory> error: could not run gpg.> --8<---------------cut here---------------end--------------->8--->> :-/>> >> Seventh, even if it did, what would we do with the raw ASCII-armored> >> OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d> >> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library> >> in Bigloo?)?!> >> > What about gpgme/libgcrypt?[*]>> I believe, but haven’t checked carefully, that GPGME is too high-level;> libgcrypt is too low-level (it does not implement OpenPGP.)>> > [*]: I was actually considering writing an FFI for libgcrypt (if it> > doesn't exist already), but it made me uncomfortable without studying> > whether Guile can make assurances that pointer-referenced data in> > "secure" memory will never be copied anywhere else. I was going to> > bring it up in the near future on the guile mailing list after I did> > some research myself; no need to derail the discussion here.>> We have incomplete libgcrypt bindings:>> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm>> This is used for the authentication of substitutes:>> https://www.gnu.org/software/guix/manual/html_node/Substitutes.html>> Thanks for your feedback!>> Ludo’.>>>
Aside from other problems,Couldn't we create a separate gpg(-1,-2) package which installs its own GPG_HOME_DIRand keyring (gpg2 or gpg1 must be present for that, for future purposes agpg2 would be best I think)? One example:https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots I know this isn't similar to what we want to do, but it might serve as an example.The method described in the link downloads an auto-signed tarball snapshot of theportage directory via webrsync. The keys are also visible on the wiki and it is upto users to put trust in them, as this method is considered optional.The source used for this is https://gitweb.gentoo.org/proj/gentoo-keys.git/tree/README.md Maybe this helps a bit. --♥Ⓐ ng04096R/13212A27975AF07677A29F7002A296150C201823
Toggle quote (3 lines)> I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread> moved to name gpg2 gpg)
We have a policy to respect what upstream does because in general wecannot or shouldn’t try to guess what’s “best”, IMO. So in this case,we keep the default names, ‘gpg2’ and ‘gpgv2’. Do you think we should rename those files?
Toggle quote (11 lines)> because we once wrote it for Debian. It has the simplest semantics> and thus best fits your purpose. We use it in GnuPG itself for the> speedo build system; it is sufficent to run this simple script:>> --8<---------------cut here---------------start------------->8---> if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then> echo "list of software versions is not valid!" >&2> exit 1> fi> --8<---------------cut here---------------end--------------->8---
Toggle quote (8 lines)> In all other context I would suggest the use of GPGME to verify> signatures, because GPGME also evaluates the trust and all the status> line gpg spits out.>> There are no issues with l10n because _all_ scripts SHOULD use gpg with> the options --status-fd and --with-colons. That output creates a well> defined API and we try very hard never to break it.
I’m aware of it, but unfortunately, git invokes gpg on the user’sbehalf, and all it gives is the human-readable, l10n’d output:
Toggle snippet (7 lines)$ LANGUAGE=fr_FR git log --pretty="format:%H %GG" HEAD |head -440d71e44f5068b28f48bd131940260cc0ab2e2d1 gpg: Signature faite le Sun 05 Jun 2016 12:05:39 AM CEST avec la clef RSA d'identifiant 3D9AEBB5gpg: Bonne signature de « Ludovic Courtès <ludo@gnu.org> » [totale]gpg: alias « Ludovic Courtès <ludo@chbouib.org> » [totale]gpg: alias « Ludovic Courtès (Inria) <ludovic.courtes@inria.fr> » [totale]
(Internally it does use ‘--status-fd’ but that doesn’t help us asusers.)
Toggle quote (6 lines)> Mike Gerwitz's article is a bit long read right now. I have never> looked into git to check whether git correctly calls gpg to verify> signatures. That should eventually be done. And yes, please sign your> commits (I use an Ed25519 key stored on a Gnuk token; which works very> well).
We sign commits and it’s wonderful; now all we need is tools to actuallyuse those signatures to authenticate checkouts. :-) Thanks for taking the time to comment! Ludo’.
On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote:
Toggle quote (7 lines)> There are no issues with l10n because _all_ scripts SHOULD use gpg with> the options --status-fd and --with-colons. That output creates a well> defined API and we try very hard never to break it.> [...]> I have never looked into git to check whether git correctly calls gpg> to verify signatures. That should eventually be done.
A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer): It invokes `gpg --status-fd=1 --verify FILE -`, where FILE is asignature written to a temporary file for the sake of invokingGPG. It checks for a non-zero exit code and GOODSIG: ret |= !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG "); -- Mike GerwitzFree Software Hacker+Activist | GNU Maintainer & Volunteerhttps://mikegerwitz.comFSF Member #5804 | GPG Key ID: 0x8EE30EAB
Toggle quote (5 lines)> cannot or shouldn’t try to guess what’s “best”, IMO. So in this case,> we keep the default names, ‘gpg2’ and ‘gpgv2’.>> Do you think we should rename those files?
Given that Guix is a new distro you should really try to get rid of 1.4and only use 2.1. For Windows we use the name "gpg" for a long time nowand there is a configure option --enable-gpg2-is-gpg to make it easier.
Toggle quote (3 lines)> We sign commits and it’s wonderful; now all we need is tools to actually> use those signatures to authenticate checkouts. :-)
Right - Although I sign my commits,e other GnuPG hackers don't do it,and thus for me there is no strong need to verify the commits. But weshould have these tools.
Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus*/
Toggle quote (23 lines)>>> Second, even if it did, it would be a shallow check: as Mike notes in>>> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’>>> script, you actually have to traverse the whole commit history and>>> authenticate them one by one. But that’s OK, it runs in presumably less>>> than a minute on a repo the size of Guix’s, and we could also stop at>>> signed tags to avoid redundant checks.>>>> Practically speaking, that's probably fine, though note that a signed>> tag is just a signed hash of the commit it points to (with some>> metadata), so you're trusting the integrity of SHA-1 and nothing>> more.>>>> With that said, the tag points to what will hopefully be a signed>> commit, so if you verify the signature of the tag _and_ that commit,>> that'd be even better. Git's use of SHA-1 makes cryptographic>> assurances difficult/awkward.>>>> An occasional traversal of the entire DAG by, say, a CI script would>> provide some pretty good confidence. I wouldn't say it's necessary for>> every pull.>> Agreed.
One theoretical optimization: if I verify the DAG, could I storesomewhere that I've verified from commit cabba6e and upward already, sothe next time I verify it only has to verify the new commits? Mostly makes sense if we're already going down the only mildlycrazypants direction of implementing our own tooling :) - Chris
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)
20160605211517.GA2928@jasmine
On Sun, Jun 05, 2016 at 03:39:04PM -0500, Christopher Allan Webber wrote:
Toggle quote (4 lines)> One theoretical optimization: if I verify the DAG, could I store> somewhere that I've verified from commit cabba6e and upward already, so> the next time I verify it only has to verify the new commits?
AIUI `git verify-commit` takes a single commit as an argument, so youcan pass it an argument like this: $ git verify-commit $(git rev-list deadbeef..cabba6e) ... and it will only look at those. So, you would tailor the range ofcommits that you want to verify.
Toggle quote (3 lines)> Mostly makes sense if we're already going down the only mildly> crazypants direction of implementing our own tooling :)
It seems you'd want a tool that you trust to store a reference to thelatest commit you trust, and use it to create the range of commits youpass to `git rev-list`.
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)
877fe3hwe9.fsf@gnu.org
On Sun, Jun 05, 2016 at 15:39:04 -0500, Christopher Allan Webber wrote:
Toggle quote (4 lines)> One theoretical optimization: if I verify the DAG, could I store> somewhere that I've verified from commit cabba6e and upward already, so> the next time I verify it only has to verify the new commits?
tbh, I haven't given this the amount of thought/research that I feel itneeds. Unfortunately, you got me thinking, so here's another longmessage. In essence, this is equivalent to Ludo's suggestion of stopping atthe last tag (if you envision, say, tagging the last processed commit)_provided that_ you also verify the commit that the tag is pointing to. My short answer is: practically speaking, it's probably fine, becauseyou're more than likely trying to defend against an attacker that gainsaccess to the repo, not a second-preimage attack. * * * Long answer (braindump): When I consider the potential threats, I consider that the integrity ofeach blob, tree, commit, etc are fairly well assured by their hashes,but depend entirely on the security of SHA-1, whose future isincreasingly grim. SHA-1 does just fine for uniquely identifyingobjects---and if it didn't, hashes offending preimages would just beblacklisted. But it was never intended for security. The problem is pretty bad: signed commits will ensure the integrity ofthe commit itself (the object---as in `git cat-file -p COMMIT`); theproblem is that you don't just have to find a preimage for the hashessigned in that commit: the tree hash is what really dictates thecontent, and that tree hash in turn identifies other trees and blobs: $ git cat-file -p 'HEAD^{tree}' ... 100644 blob 9b9481deea8cee4cc61971a752d02c04d5f0654e configure.ac 040000 tree f2b4528e1f66f3bbc4742dc4a11bd1283cd475b9 doc ... That blob contains the actual file contents. So in a large project like Guix, you have so many opportunities! Youcan try to find preimages for any of the trees or blobs _without havingto worry about any signatures_; neither trees nor blobs are signed. With that said, if I recall correctly (and after a very brief glance atfetch-pack.c), a successful preimage attack would only affect users whohaven't already fetched the legitimate object---otherwise Git wouldn'tbother fetching it. I'm not sure if I find comfort in this or not: it'sbeen used by some to dismiss the problem of collisions, but (assuminggit is silent about it---and why wouldn't it be, as it wouldn't knowbetter) that's worse, since maintainers and common contributors wouldn'tnotice anything wrong at all. But someone who clones fresh and compileswould be screwed. So signing commits almost certainly protects you against someone whogains access to the repository on a common origin or amaintainer/contributor's PC, provided that nobody's private key iscompromised. But there doesn't seem to be any way to secure a git repository againsta second-preimage attack. So given that, it doesn't really matter if you re-verify all the commitsor not: an attacker doesn't need to even bother with the commitobject. I guess one option is to keep a local copy of the repository,clone a fresh copy, and occasionally diff _every_ object (commit, tag,tree, blob) for differences. So if Git wants to take this issue seriously, changes have to bemade. In the meantime, in addition to commit verification, you canalways keep around a local copy of the repository, always clone a copy,and ensure that builds between the two are reproducible.
Toggle quote (3 lines)> But there doesn't seem to be any way to secure a git repository against> a second-preimage attack.
That’s by large beyond the scope of this discussion. :-) I think all we want is to allow someone who gets a checkout of Guix toauthenticate the source code, i.e., to make sure it was committed by oneof these awesome Guix hackers and not by Mr. Evildoer. Ludo’.
Toggle quote (129 lines)> On 2016-06-04(01:17:53+0200), Ludovic Courtès wrote:> > Hi!> >> > Mike Gerwitz <mtg@gnu.org> skribis:> >> > > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote:> > >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and> > >> there’s no way to set it globally.> > >> > > That's unfortunate. Does your checkout scenario include a fresh clone?> > > If so, a pull flag wouldn't help there.> > >> > > Leo mentioned a patch; I don't think that'd be too difficult (looking at> > > other config options in builtin/pull.c), and would be a great idea. It> > > appears to pass it off to merge.c; that might be a useful area to verify> > > signatures as well (pull being a fetch && merge/rebase), in a general> > > sense.> >> > Yeah, it wouldn’t be too hard to add to Git proper, I think, but we> > can even live without it initially.> >> > >> Second, even if it did, it would be a shallow check: as Mike notes in> > >> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’> > >> script, you actually have to traverse the whole commit history and> > >> authenticate them one by one. But that’s OK, it runs in presumably less> > >> than a minute on a repo the size of Guix’s, and we could also stop at> > >> signed tags to avoid redundant checks.> > >> > > Practically speaking, that's probably fine, though note that a signed> > > tag is just a signed hash of the commit it points to (with some> > > metadata), so you're trusting the integrity of SHA-1 and nothing> > > more.> > >> > > With that said, the tag points to what will hopefully be a signed> > > commit, so if you verify the signature of the tag _and_ that commit,> > > that'd be even better. Git's use of SHA-1 makes cryptographic> > > assurances difficult/awkward.> > >> > > An occasional traversal of the entire DAG by, say, a CI script would> > > provide some pretty good confidence. I wouldn't say it's necessary for> > > every pull.> >> > Agreed.> >> > >> Third, as I wrote before¹, relying on the OpenPGP web of trust to> > >> determine whether a commit is “valid” is inappropriate: what we want to> > >> know is whether a commit was made by an authorized person, not whether> > >> it was made by someone who happens to have an OpenPGP key directly or> > >> indirectly certified.> > >> > > If you want to keep with the convenience of the web of trust, then you> > > can have a keyring trusting only the appropriate Guix> > > hackers. Otherwise, I agree.> >> > Oh right, we could do something like:> >> > gpgv --keyring guix-developers.keyring foo> >> > (I realize GSRC uses this idiom already when authenticating source> > tarballs:> > <http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L217>.)> >> > >> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,> > >> so if we want to do something different than just ‘gpg --verify’, we> > >> have to put some other ‘gpg’ script in $PATH. Blech.> > >> > > What types of things are you considering?> >> > Something as simple as this:> >> > --8<---------------cut here---------------start------------->8---> > $ git config gpg.program 'gpgv --keyring /dev/null'> > $ git verify-commit HEAD> > error: cannot run gpgv --keyring /dev/null: No such file or directory> > error: could not run gpg.> > --8<---------------cut here---------------end--------------->8---> >> > :-/> >> > >> Seventh, even if it did, what would we do with the raw ASCII-armored> > >> OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d> > >> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library> > >> in Bigloo?)?!> > >> > > What about gpgme/libgcrypt?[*]> >> > I believe, but haven’t checked carefully, that GPGME is too high-level;> > libgcrypt is too low-level (it does not implement OpenPGP.)> >> > > [*]: I was actually considering writing an FFI for libgcrypt (if it> > > doesn't exist already), but it made me uncomfortable without studying> > > whether Guile can make assurances that pointer-referenced data in> > > "secure" memory will never be copied anywhere else. I was going to> > > bring it up in the near future on the guile mailing list after I did> > > some research myself; no need to derail the discussion here.> >> > We have incomplete libgcrypt bindings:> >> > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm> >> > This is used for the authentication of substitutes:> >> > https://www.gnu.org/software/guix/manual/html_node/Substitutes.html> >> > Thanks for your feedback!> >> > Ludo’.> >> >> >>> Aside from other problems,> Couldn't we create a separate gpg(-1,-2) package which installs its own GPG_HOME_DIR> and keyring (gpg2 or gpg1 must be present for that, for future purposes a> gpg2 would be best I think)?>> One example:> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots>> I know this isn't similar to what we want to do, but it might serve as an example.> The method described in the link downloads an auto-signed tarball snapshot of the> portage directory via webrsync. The keys are also visible on the wiki and it is up> to users to put trust in them, as this method is considered optional.> The source used for this is https://gitweb.gentoo.org/proj/gentoo-keys.git/tree/README.md>> Maybe this helps a bit.>
Adding to this what I just found: http://www.tedunangst.com/flak/post/signifyhttps://github.com/aperezdc/signify I am /not/ sure if this will be useful for what guix secure pull wants to achieve,but maybe there's some inspiration to be found in the source. --♥Ⓐ ng0For non-prism friendly talk find me onpsyced.org / loupsycedyglgamf.onion
On Sun, Jun 05, 2016 at 09:51:45AM +0200, Werner Koch wrote:
Toggle quote (4 lines)> Given that Guix is a new distro you should really try to get rid of 1.4> and only use 2.1. For Windows we use the name "gpg" for a long time now> and there is a configure option --enable-gpg2-is-gpg to make it easier.
If a Guix user installs GnuPG without specifying the version, which Ithink is the typical behavior, they will get the latest version that wepackage (currently 2.1.12). That's not exactly what you are requesting,but it should steer some users towards the modern branch :) For your reference, we package the classic, stable, and modern branches.
(name . Leo Famulari)(address . leo@famulari.name)
87mvmxfmjt.fsf_-_@gnu.org
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (12 lines)> On Sun, Jun 05, 2016 at 09:51:45AM +0200, Werner Koch wrote:>> Given that Guix is a new distro you should really try to get rid of 1.4>> and only use 2.1. For Windows we use the name "gpg" for a long time now>> and there is a configure option --enable-gpg2-is-gpg to make it easier.>> If a Guix user installs GnuPG without specifying the version, which I> think is the typical behavior, they will get the latest version that we> package (currently 2.1.12). That's not exactly what you are requesting,> but it should steer some users towards the modern branch :)>> For your reference, we package the classic, stable, and modern branches.
Nevertheless, we could configure GPG 2.x with --enable-gpg2-is-gpg, ifthat’s what Werner recommends. Thanks,Ludo’.
Toggle quote (13 lines)> On Tue, 7 Jun 2016 10:08, ludo@gnu.org said:>> > Nevertheless, we could configure GPG 2.x with --enable-gpg2-is-gpg, if> > that’s what Werner recommends.>> It would help to avoid trouble in the future. Debian will also install> gpg2 as gpg and provide 1.4 only a non-mandatory package gnupg1.>>> Shalom-Salam,>> Werner
I can add Gentoo to the list of gpg2 -> gpg symlinking systems, though thisis expected with 2.x version and GnuPG having this as quasi default: ~$ ls -al /usr/bin/gpg*lrwxrwxrwx 1 root root 4 May 20 13:45 /usr/bin/gpg -> gpg2.......lrwxrwxrwx 1 root root 5 May 20 13:45 /usr/bin/gpgv -> gpgv2 --♥Ⓐ ng0For non-prism friendly talk find me onpsyced.org / loupsycedyglgamf.onion
Toggle quote (10 lines)> Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on> the CHICKEN bindings², easy! Well no, it turns out that libgit2³ has no> support for signed commits (the ‘signature’ abstraction there has> nothing to do with OpenPGP signatures.)>> Seventh, even if it did, what would we do with the raw ASCII-armored> OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library> in Bigloo?)?!
This bit was too pessimistic it seems. :-) With the quick-hack libgit2 bindings attached, I can run this program,which authenticates HEAD:
Toggle snippet (9 lines)$ ./pre-inst-env guile t.scmgpg: Signature made Thu 21 Jul 2016 06:53:27 PM CEST using RSA key ID 3D9AEBB5gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [full]gpg: aka "Ludovic Courtès <ludo@chbouib.org>" [full]gpg: aka "Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>" [full] ;;; (((unparsed-line "[GNUPG:] NEWSIG") (signature-id "5U2RqMgQpDFefFuBzsYBDsrL9xg" "2016-07-21" 1469120007) (good-signature "090B11993D9AEBB5" "Ludovic Courtès <ludo@gnu.org>") (valid-signature "3CE464558A84FDC69DB40CFB090B11993D9AEBB5" "2016-07-21" 1469120007) (unparsed-line "[GNUPG:] TRUST_FULLY")))
So I think we can go from here. Our repo would contain a Scheme list ofauthorized OpenPGP fingerprints, and we’d check whether the fingerprintthat shows up in ‘valid-signature’ above is among them (IMO this isbetter than using a GnuPG keyring because GnuPG keyrings are opaquebinary blobs—we wouldn’t be able to diff subsequent revisions of thekeyring—and they contain full OpenPGP keys, including signature packetsand all that, which we don’t need/want for authorization purposes; wemay still want to store a keyring though, but simply for the purposes ofallowing gpg to check signatures.) Since we just need to read Git objects, after all, another option wouldbe to avoid libgit2 and read them ourselves, which wouldn’t be hard (I’dexpect ~500 lines of code), would avoid the dependency, and be morerobust (no C!). However, ‘guix pull’ can make good use of libgit2 to directly clone/pullin the future, so it makes sense to have libgit2 bindings. It Would Be Nice if the libgit2 bindings were maintained separately. Wecan start with just the features we need as (guix git), but if anyonewants to “externalize” it and improve it, that would be more thanwelcome! Thoughts? Thanks,Ludo’.
Hi Ludo, This is some awesome work! On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (5 lines)> It Would Be Nice if the libgit2 bindings were maintained separately. We> can start with just the features we need as (guix git), but if anyone> wants to “externalize” it and improve it, that would be more than> welcome!
I started a "guile-git" project awhile ago, but didn't get anywhere.Maybe I can snarf your bindings as a starting point? If the bindingswere an external project, would it be an optional or mandatorydependency? Would you be OK with licensing the code under LGPLv3 orlater? Thanks! - Dave
Toggle quote (10 lines)> On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Courtès <ludo@gnu.org> wrote:>>> It Would Be Nice if the libgit2 bindings were maintained separately. We>> can start with just the features we need as (guix git), but if anyone>> wants to “externalize” it and improve it, that would be more than>> welcome!>> I started a "guile-git" project awhile ago, but didn't get anywhere.> Maybe I can snarf your bindings as a starting point?
Definitely, that’d be a great contribution! Among other things, I didn’t pay attention to memory management; someobjects need finalizers, some are documented as having the same lifetime as the repository object they come from (a weak-key hash tablecould be used to have the life time of Scheme object match that of theirC counterpart.) Nothing terrible though, and you know all that verywell.
Toggle quote (3 lines)> If the bindings were an external project, would it be an optional or> mandatory dependency?
It may become a mandatory dependency because we’d use it in ‘guix pull’.
Toggle quote (2 lines)> Would you be OK with licensing the code under LGPLv3 or later?
[sr #109104] Add Git 'update' hook for Guix repositories
20160725-000945.sv15145.13702@savannah.gnu.org
URL:http://savannah.gnu.org/support/?109104 Summary: Add Git 'update' hook for Guix repositories Project: Savannah Administration Submitted by: civodul Submitted on: Mon 25 Jul 2016 12:09:45 AM CEST Category: Source code repositories - developer access Priority: 5 - Normal Severity: 3 - Normal Status: None Assigned to: None Originator Email: ludo@gnu.org Operating System: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: Hello, Could you add the attach file as an 'update' hook for all the Guixrepositories? Thanks in advance,Ludo'.
Update of sr #109104 (project administration): Status: None => In Progress Assigned to: None => rwp _______________________________________________________ Follow-up Comment #1: Sure thing. I will add it to this list. guix.gitguix/dhcp.gitguix/gnunet.gitguix/guix-artwork.gitguix/maintenance.git
Update of sr #109104 (project administration): Status: In Progress => Done Open/Closed: Open => Closed _______________________________________________________ Follow-up Comment #2: Done. Commits to those repositories will be required to be gpg signed now. Letus know if you need anything else.
Follow-up Comment #3, sr #109104 (project administration): That was fast, thanks a lot, Bob! _______________________________________________________ Reply to this item at: http://savannah.gnu.org/support/?109104 _______________________________________________ Message sent via/by Savannahhttp://savannah.gnu.org/
[sr #109104] Add Git 'update' hook for Guix repositories
20160807-015339.sv88130.30875@savannah.gnu.org
Follow-up Comment #4, sr #109104 (project administration): Unfortunately, this hook can be easily defeated. Here's some example outputfrom the current tip of master:
The hook currently greps for `^gpgsig '. It will indeed find a GPG signatureif it exists, but to circumvent it, an attacker need only put `gpgsig' in thecommit message at column 0---the commit messages aren't indented in theoutput. You can replace the entire loop in the hook with this:
Follow-up Comment #5, sr #109104 (project administration): Hi Mike, The hook is indeed super naive. The goal was just to avoid _accidental_pushes of unsigned commits, under the assumption that those with commit accessare well-behaved. :-) But yeah, the goal is to ultimately scan the Git history and ensure onlyauthorized keys are used:http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#103. Thanks,Ludo'. _______________________________________________________ Reply to this item at: http://savannah.gnu.org/support/?109104 _______________________________________________ Message sent via/by Savannahhttp://savannah.gnu.org/
Hello, Just a note for later… ludo@gnu.org (Ludovic Courtès) skribis:
Toggle quote (3 lines)> With the quick-hack libgit2 bindings attached, I can run this program,> which authenticates HEAD:
[...]
Toggle quote (4 lines)> So I think we can go from here. Our repo would contain a Scheme list of> authorized OpenPGP fingerprints, and we’d check whether the fingerprint> that shows up in ‘valid-signature’ above is among them
Storing the list of authorized keys in a file in the repo isinconvenient: simply to retrieve it, you’d need to make a checkout. Sofor each commit we verify, we have to check out the whole repo, which isinefficient. While readinghttp://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/, Irealized we could store in empty Git commit messages, which wouldaddress the above problem (we could use a custom object type too, butthat would be less convenient.) So the special commit could look like: Authorization (commit-authorizations (authorization-commit (KEY1 KEY2 …)) (files ("hydra.gnu.org.pub") (KEY1 KEY2 …)) (files _ (KEY1 KEY2 …))) ;all other files That way, to authenticate a commit, we first fetch the latestauthorization commit, read the authorization rules from there, and makesure that the changes it makes match the rules. Thoughts? Ludo’.
This isn't exactly pretty, and obviously a better long-term solution isneeded, but I wrote a quick shell script to at least partially addressessome my biggest fears with guix pull... Basically, it updates a git checkout, checks the signatures on thecommits, looking for the topmost signed commit by a key in a specifickeyring, and then runs guix pull with that commit.
It relies on a custom gpg directory and assumes any of the keys in thekeyring are valid potential signers of the commits; the web of trust isessentially ignored. I really don't like having a custom GNUPGHOME, but I didn't see anyother obvious way to pass arguments to git to use a custom keyring. Ipopulated this GNUPGHOME with keys from: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1 And then ran gpg --refresh-keys on it, as several keys wereoutdated/expired. (an alternative approach to populate the keyring might be:https://gitlab.com/Efraim/guix-keyring)
It also assumes a git checkout where "git pull" pulls from the correctrepository. It assumes guix --version returns a valid git hash, so would requiresome more tweaks to get it working from a fresh guix install. All those caveats aside, it seems to work well enough for me, andwriting this email took longer than writing the script. :)
live well, vagrant
#!/bin/sh set -xset -eworkdir=/home/vagrant/src/guixexport GNUPGHOME=$workdir/verified-pull/gnupgcd $workdirgit pullguixversion=$(guix --version | awk '/^guix/{print $4}') commits=$(git log ${guixversion}.. --pretty='format:%G?,%H') # · %G?: show# "G" for a good (valid) signature,# "B" for a bad · %signature,# "U" for a good signature with unknown validity,# "X" for a good · %signature that has expired,# "Y" for a good signature made by an expired · %key,# "R" for a good signature made by a revoked key,# "E" if the · %signature cannot be checked (e.g. missing key) and# "N" for no signature for commitlog in $commits ; do commitverify=$(echo $commitlog | cut -d , -f 1) commit=$(echo $commitlog | cut -d , -f 2) case $commitverify in G|U) git verify-commit $commit && \ guix pull --url=file://$workdir --commit=$commit && \ exit 0 ;; esacdone echo unable to find signed commitexit 1
Hi Vagrant, Vagrant Cascadian <vagrant@debian.org> skribis:
Toggle quote (8 lines)> This isn't exactly pretty, and obviously a better long-term solution is> needed, but I wrote a quick shell script to at least partially addresses> some my biggest fears with guix pull...>> Basically, it updates a git checkout, checks the signatures on the> commits, looking for the topmost signed commit by a key in a specific> keyring, and then runs guix pull with that commit.
Thanks for sharing! Even if it’s not the long-term solution, it’s auseful way to see how to move forward.
Toggle quote (13 lines)> It relies on a custom gpg directory and assumes any of the keys in the> keyring are valid potential signers of the commits; the web of trust is> essentially ignored.>> I really don't like having a custom GNUPGHOME, but I didn't see any> other obvious way to pass arguments to git to use a custom keyring. I> populated this GNUPGHOME with keys from:>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1>> And then ran gpg --refresh-keys on it, as several keys were> outdated/expired.
‘gpgv’, which is recommended for this use case, has a ‘--keyring’argument. I suppose we could use that.
Toggle quote (3 lines)> (an alternative approach to populate the keyring might be:> https://gitlab.com/Efraim/guix-keyring)
Indeed, didn’t know about this repo. Thank you,Ludo’.
Toggle quote (13 lines)> Vagrant Cascadian <vagrant@debian.org> skribis:>> I really don't like having a custom GNUPGHOME, but I didn't see any>> other obvious way to pass arguments to git to use a custom keyring. I>> populated this GNUPGHOME with keys from:>>>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1>>>> And then ran gpg --refresh-keys on it, as several keys were>> outdated/expired.>> ‘gpgv’, which is recommended for this use case, has a ‘--keyring’> argument. I suppose we could use that.
I'm not sure how to get git to use gpgv instead of gpg, and extractingthe information out of git and then implementing some externalverification process, while possible, is likely error-prone. A feature request to git to allow passing gpg arguments or use gpgvwould be the best way forward in the long-term.
Toggle quote (18 lines)> On 2018-09-02, Ludovic Courtès wrote:>> Vagrant Cascadian <vagrant@debian.org> skribis:>>> I really don't like having a custom GNUPGHOME, but I didn't see any>>> other obvious way to pass arguments to git to use a custom keyring. I>>> populated this GNUPGHOME with keys from:>>>>>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1>>>>>> And then ran gpg --refresh-keys on it, as several keys were>>> outdated/expired.>>>> ‘gpgv’, which is recommended for this use case, has a ‘--keyring’>> argument. I suppose we could use that.>> I'm not sure how to get git to use gpgv instead of gpg, and extracting> the information out of git and then implementing some external> verification process, while possible, is likely error-prone.
Oh right, IIRC Git cannot use gpgv (this was probably discussed in thisissue, now that I think about it.) Good thing is that using Guile-Git as in the toy example athttps://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#103, we can usegpgv.
Toggle quote (3 lines)> A feature request to git to allow passing gpg arguments or use gpgv> would be the best way forward in the long-term.
Hello Guix! It’s high time for us to provide a means to authenticate Git checkouts.It’s not clear what the perfect solution will be, so in the meantime Ithink we need to have reasonable milestones that incrementally improvethe situation. To begin with, I propose the attached script: when given a commit range,it authenticates each commit, meaning that it ensures commits have avalid signature and that that signature was made by one of theauthorized keys. Sample session:
Toggle snippet (14 lines)$ time ./pre-inst-env guile -e git-authenticate build-aux/git-authenticate.scm d68de958b60426798ed62797ff7c96c327a672ac 099ce5d4901706dc2c5be888a5c8cbf8fcd0d576Authenticating d68de95 to 099ce5d (7938 commits)...Signing statistics: BCA689B636553801C3C62150197A5888235FACAC 1454 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 1025 BBB02DDF2CEAF6A80D1DE643A2A06DF2A33A54FA 941 [...] real 2m21.272suser 1m38.741ssys 0m59.546s
Limitations: 1. People (developers) have to run it manually, there’s no suitable Git hook; ‘guix pull’ doesn’t run it. 2. The list of authorized keys is hard-coded. 3. It’s relatively slow (but faster than a shell script). 4. It lazily populates a keyring (under ~/.config/guix/keyrings/channels/guix.kbx) by fetching keys from key servers, which may or may not have the keys. 5. It doesn’t address roll-back attacks and other attacks described inhttps://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias. 6. It doesn’t memorize which commits have already been verified. 7. I haven’t checked whether the hard-coded ‘%committers’ lists works for commits before v1.0.1—help welcome! It should be possible to address #2 by adding the list in the repoitself, though we’d need to check the cost of accessing that list atevery commit. #3 can probably be addressed by using a Scheme implementation of theOpenPGP bits we need, such as that of Industria. #4 can be addressed by storing the keys in the repo itself, either asfiles directly or with a trick likehttps://365git.tumblr.com/post/2813251228/adding-a-gpg-public-key-to-a-repository. #6 could be addressed by storing Git notes maybe. #5 is hard IMO, but it’s one of the things we discussed at the R-Bsummit, so there’s hope. I’d like to commit this script under build-aux/ as a first step. Thoughts? Thanks,Ludo’. PS: See https://issues.guix.gnu.org/issue/22883 for context.
Hi Ludo, To be honest, I do not clearly understand what the issue is concretelyabout. So I am probably out-of-scope and/or irrelevant. One milestone could be to have Git tags and "guix pull" would 'jump'between these tags. For an end-user like me, tags ease: a. the commit range specification (#1) b. memorize what I have already verified (#6) Moreover, it would feed a variant of OPAM path or Qubes path as yousummarized here [1] or mitigate attacks if I understand the answersthere [2] or [3]. [1] https://issues.guix.info/issue/22883#12[2] https://issues.guix.info/issue/22883#15[3] https://issues.guix.info/issue/22883#26
Toggle quote (18 lines)> To begin with, I propose the attached script: when given a commit range,> it authenticates each commit, meaning that it ensures commits have a> valid signature and that that signature was made by one of the> authorized keys. Sample session:>> $ time ./pre-inst-env guile -e git-authenticate build-aux/git-authenticate.scm d68de958b60426798ed62797ff7c96c327a672ac 099ce5d4901706dc2c5be888a5c8cbf8fcd0d576> Authenticating d68de95 to 099ce5d (7938 commits)...> Signing statistics:> BCA689B636553801C3C62150197A5888235FACAC 1454> 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 1025> BBB02DDF2CEAF6A80D1DE643A2A06DF2A33A54FA 941>> [...]>> real 2m21.272s> user 1m38.741s> sys 0m59.546s
I’ve now committed this file: b3011dbbd2 doc: Mention "make authenticate". 787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits. 785af04a75 git: 'commit-difference' takes a list of excluded commits. 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. Commit 787766ed1e takes care of caching (one of the limitations Imentioned in my previous message). Commit b3011dbbd2 adds instructions for contributors on how toauthenticate a checkout (copied below). It’s a bit bumpy so I wouldvery much welcome feedback and suggestions on how to improve this! Thanks in advance! Ludo’.
Toggle snippet (37 lines)If you want to hack Guix itself, it is recommended to use the latestversion from the Git repository: git clone https://git.savannah.gnu.org/git/guix.git How do you ensure that you obtained a genuine copy of the repository?Guix itself provides a tool to “authenticate” your checkout, but youmust first make sure this tool is genuine in order to “bootstrap” thetrust chain. To do that, run: git verify-commit `git log --format=%H build-aux/git-authenticate.scm` The output must look something like: gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 ... gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 ... ... meaning that changes to this file are all signed with key‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch thiskey from a key server, if you have not done it yet). From there on, you can authenticate all the commits included in yourcheckout by running: make authenticate The first run takes a couple of minutes, but subsequent runs arefaster. Note: You are advised to run ‘make authenticate’ after every ‘git pull’ invocation. This ensures you keep receiving valid changes to the repository
Toggle quote (41 lines)> Hello,>> Just a note for later…>> ludo@gnu.org (Ludovic Courtès) skribis:>>> With the quick-hack libgit2 bindings attached, I can run this program,>> which authenticates HEAD:>> [...]>>> So I think we can go from here. Our repo would contain a Scheme list of>> authorized OpenPGP fingerprints, and we’d check whether the fingerprint>> that shows up in ‘valid-signature’ above is among them>> Storing the list of authorized keys in a file in the repo is> inconvenient: simply to retrieve it, you’d need to make a checkout. So> for each commit we verify, we have to check out the whole repo, which is> inefficient.>> While reading> <http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I> realized we could store in empty Git commit messages, which would> address the above problem (we could use a custom object type too, but> that would be less convenient.)>> So the special commit could look like:>> Authorization>> (commit-authorizations> (authorization-commit (KEY1 KEY2 …))> (files ("hydra.gnu.org.pub") (KEY1 KEY2 …))> (files _ (KEY1 KEY2 …))) ;all other files>> That way, to authenticate a commit, we first fetch the latest> authorization commit, read the authorization rules from there, and make> sure that the changes it makes match the rules.>> Thoughts?
Does this *have* to be baked into git? Or are we like the carpenterapprentice who just learned how to use a hammer and considers everythingto be a kind of nail…? I see the appeal of having everything in git as that’s where the commitsare that should be authenticated, but using special commit messagesseems to me like shoehorning update authorization into a code revisiontool. You mentioned that checking signatures on commits is also kinda slowbecause it’s sequential and not cached. I don’t know what I reallywant, but is there perhaps a way to aggregate signatures on past commitsso that the client’s work is reduced…? (I’m very glad you’re thinking about this problem and that you’ve come upwith practical steps forward! I don’t know if my thoughts on this topicare useful.) --Ricardo
Toggle quote (14 lines)> I’ve now committed this file:>> b3011dbbd2 doc: Mention "make authenticate".> 787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.> 785af04a75 git: 'commit-difference' takes a list of excluded commits.> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'.>> Commit 787766ed1e takes care of caching (one of the limitations I> mentioned in my previous message).>> Commit b3011dbbd2 adds instructions for contributors on how to> authenticate a checkout (copied below). It’s a bit bumpy so I would> very much welcome feedback and suggestions on how to improve this!
This is great! Thank you for the instructions. I thought I had all keys, butapparently at least one of them is missing. “make authenticate” failsfor me with this error: Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'. I previously downloaded the gpg keyring from Savannah: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix Looks like Hartmut used to use a different key, which I don’t have. --Ricardo
Toggle quote (30 lines)>> While reading>> <http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I>> realized we could store in empty Git commit messages, which would>> address the above problem (we could use a custom object type too, but>> that would be less convenient.)>>>> So the special commit could look like:>>>> Authorization>>>> (commit-authorizations>> (authorization-commit (KEY1 KEY2 …))>> (files ("hydra.gnu.org.pub") (KEY1 KEY2 …))>> (files _ (KEY1 KEY2 …))) ;all other files>>>> That way, to authenticate a commit, we first fetch the latest>> authorization commit, read the authorization rules from there, and make>> sure that the changes it makes match the rules.>>>> Thoughts?>> Does this *have* to be baked into git? Or are we like the carpenter> apprentice who just learned how to use a hammer and considers everything> to be a kind of nail…?>> I see the appeal of having everything in git as that’s where the commits> are that should be authenticated, but using special commit messages> seems to me like shoehorning update authorization into a code revision> tool.
Well, I’ve changed my mind on this topic since that message. :-) Now, the way I see it, we’d have a plain file listing authorized keys(the file is under version control, but it’s a regular file). Thatstill needs to be prototyped to check whether it’s acceptableperformance-wise, but I’m more confident now.
Toggle quote (5 lines)> You mentioned that checking signatures on commits is also kinda slow> because it’s sequential and not cached. I don’t know what I really> want, but is there perhaps a way to aggregate signatures on past commits> so that the client’s work is reduced…?
The caching implemented in 787766ed1e7f0806a98e696830542da528f957bbmakes things acceptable: the first “make authenticate” run takes a bitmore than two minutes to check all the commits starting from ‘v1.0.1’,but subsequent runs take a few seconds. I have plans to make things faster (independently of the cache) by doingOpenPGP signature verification entirely in Scheme instead of spawning‘gpgv’ every time. Again, we’ll have to get a prototype before we cantell whether it actually is faster. I hope I can spend some more time on this during the holidays, butanyhow, feedback is much appreciated! Thanks,Ludo’.
Toggle quote (5 lines)> The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb> makes things acceptable: the first “make authenticate” run takes a bit> more than two minutes to check all the commits starting from ‘v1.0.1’,> but subsequent runs take a few seconds.
This sounds good. I wonder how we would integrate this into “guix pull”. Forauthentication to work at all the user would have to have *all* pastkeys. (I’m missing at least one of the keys, because only current keysare contained in the keyring on Savannah.)
Toggle quote (5 lines)> I have plans to make things faster (independently of the cache) by doing> OpenPGP signature verification entirely in Scheme instead of spawning> ‘gpgv’ every time. Again, we’ll have to get a prototype before we can> tell whether it actually is faster.
More things implemented in Scheme – I love it! :) --Ricardo
Toggle quote (14 lines)> Ludovic Courtès <ludo@gnu.org> writes:>>> The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb>> makes things acceptable: the first “make authenticate” run takes a bit>> more than two minutes to check all the commits starting from ‘v1.0.1’,>> but subsequent runs take a few seconds.>> This sounds good.>> I wonder how we would integrate this into “guix pull”. For> authentication to work at all the user would have to have *all* past> keys. (I’m missing at least one of the keys, because only current keys> are contained in the keyring on Savannah.)
Right. Clearly we shouldn’t rely on key servers because it’s brittle,keys might be missing, it requires the whole GnuPG shebang to fetch asingle key, etc. Instead, what I have in mind is to have a branch in the same repocontaining a complete keyring of the past and current keys (say, onefile per key). The machinery would thus start by loading the keyringand then use it when verifying signatures. We can generalize that to all channels: ‘.guix-channel’ could specify(1) a keyring branch, and (2) the name of a file listing authorizedkeys. How does that sound? Thanks,Ludo’.
Toggle quote (14 lines)>> b3011dbbd2 doc: Mention "make authenticate".>> 787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.>> 785af04a75 git: 'commit-difference' takes a list of excluded commits.>> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'.>>>> Commit 787766ed1e takes care of caching (one of the limitations I>> mentioned in my previous message).>>>> Commit b3011dbbd2 adds instructions for contributors on how to>> authenticate a checkout (copied below). It’s a bit bumpy so I would>> very much welcome feedback and suggestions on how to improve this!>> This is great!
Yes! Yes!
Toggle quote (12 lines)> Thank you for the instructions. I thought I had all keys, but> apparently at least one of them is missing. “make authenticate” fails> for me with this error:>> Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.>> I previously downloaded the gpg keyring from Savannah:>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix>> Looks like Hartmut used to use a different key, which I don’t have.
I got this too, and manually worked around it by downloadingguix-keyring.gpg from: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1 And running: gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg It seems to be working now... how is the keyring *supposed* to bepopulated? Before I manually imported guix-keyring.gpg into guix.kbx,there were a very small number of keys present.
It's a little awkward that it uses the fingerprint of the signing keyrather than the primary key, as by default things like "gpg --list-keys"do not display the fingerprint of signing keys, only the primary key, soit is an adventure in gpg commandline options to correlate them. "gpg log --show-signature" also reports the the primary key fingerprint,if the key is available in the keyring, and only the subkey fingerprintfor unknown keys if I remember correctly. It would be nice if the statistics would display the primary uidinstead, as it is something a little more human readable, and theprimary key fingerprint, as it is a little easier to find. :)
I'm hoping the eventual goal is to integrate this into guix pull?
On Sat, Dec 28, 2019 at 06:45:34PM -0800, Vagrant Cascadian wrote:
Toggle quote (40 lines)> On 2019-12-27, Ricardo Wurmus wrote:> >> b3011dbbd2 doc: Mention "make authenticate".> >> 787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.> >> 785af04a75 git: 'commit-difference' takes a list of excluded commits.> >> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'.> >>> >> Commit 787766ed1e takes care of caching (one of the limitations I> >> mentioned in my previous message).> >>> >> Commit b3011dbbd2 adds instructions for contributors on how to> >> authenticate a checkout (copied below). It’s a bit bumpy so I would> >> very much welcome feedback and suggestions on how to improve this!> >> > This is great!> > Yes! Yes!> > > > Thank you for the instructions. I thought I had all keys, but> > apparently at least one of them is missing. “make authenticate” fails> > for me with this error:> >> > Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.> >> > I previously downloaded the gpg keyring from Savannah:> >> > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix> >> > Looks like Hartmut used to use a different key, which I don’t have.> > I got this too, and manually worked around it by downloading> guix-keyring.gpg from:> > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1> > And running:> > gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg>
Thanks for the hint. I started with importing the keyring into my normalkeyring but I see now we have another keyring for this specifically. (another being the user default, ~/.config/guix/upstream/trustedkeys.kbxand now this one)
Toggle quote (30 lines)> It seems to be working now... how is the keyring *supposed* to be> populated? Before I manually imported guix-keyring.gpg into guix.kbx,> there were a very small number of keys present.> > > It's a little awkward that it uses the fingerprint of the signing key> rather than the primary key, as by default things like "gpg --list-keys"> do not display the fingerprint of signing keys, only the primary key, so> it is an adventure in gpg commandline options to correlate them.> > "gpg log --show-signature" also reports the the primary key fingerprint,> if the key is available in the keyring, and only the subkey fingerprint> for unknown keys if I remember correctly.> > It would be nice if the statistics would display the primary uid> instead, as it is something a little more human readable, and the> primary key fingerprint, as it is a little easier to find. :)> > > I'm hoping the eventual goal is to integrate this into guix pull?> > > Very nice to see progress on this issue!> > > live well,> vagrant
-- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנרGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
Toggle quote (2 lines)> On 2019-12-27, Ricardo Wurmus wrote:
[...]
Toggle quote (25 lines)>> Thank you for the instructions. I thought I had all keys, but>> apparently at least one of them is missing. “make authenticate” fails>> for me with this error:>>>> Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.>>>> I previously downloaded the gpg keyring from Savannah:>>>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix>>>> Looks like Hartmut used to use a different key, which I don’t have.>> I got this too, and manually worked around it by downloading> guix-keyring.gpg from:>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1>> And running:>> gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg>> It seems to be working now... how is the keyring *supposed* to be> populated? Before I manually imported guix-keyring.gpg into guix.kbx,> there were a very small number of keys present.
By default, the script currently automatically downloads keys fromkeyserver into ~/.config/…/guix.kbx: see ‘gnupg-verify*’ in (guixgnupg). This is unreliable and rather undesirable, so the real solutionwill be to have the keyring in the repo.
Toggle quote (9 lines)> It's a little awkward that it uses the fingerprint of the signing key> rather than the primary key, as by default things like "gpg --list-keys"> do not display the fingerprint of signing keys, only the primary key, so> it is an adventure in gpg commandline options to correlate them.>> "gpg log --show-signature" also reports the the primary key fingerprint,> if the key is available in the keyring, and only the subkey fingerprint> for unknown keys if I remember correctly.
Yeah, well. Apparently ‘gpgv --status-fd’ reports the fingerprint ofthe subkey, not that of the primary key, which is why we’re storing thefingerprint of the subkey. I think it actually makes sense, but I wonder why ‘gpg’ makes it so hardto see the fingerprint of subkeys.
Toggle quote (4 lines)> It would be nice if the statistics would display the primary uid> instead, as it is something a little more human readable, and the> primary key fingerprint, as it is a little easier to find. :)
Ah, true!
Toggle quote (2 lines)> I'm hoping the eventual goal is to integrate this into guix pull?
Toggle quote (39 lines)> --8<---------------cut here---------------start------------->8---> If you want to hack Guix itself, it is recommended to use the latest> version from the Git repository:> > git clone https://git.savannah.gnu.org/git/guix.git> > How do you ensure that you obtained a genuine copy of the repository?> Guix itself provides a tool to “authenticate” your checkout, but you> must first make sure this tool is genuine in order to “bootstrap” the> trust chain. To do that, run:> > git verify-commit `git log --format=%H build-aux/git-authenticate.scm`> > The output must look something like:> > gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5> ...> gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5> ...> > ... meaning that changes to this file are all signed with key> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this> key from a key server, if you have not done it yet).> > From there on, you can authenticate all the commits included in your> checkout by running:> > make authenticate> > The first run takes a couple of minutes, but subsequent runs are> faster.> > Note: You are advised to run ‘make authenticate’ after every ‘git> pull’ invocation. This ensures you keep receiving valid changes to> the repository> --8<---------------cut here---------------end--------------->8---
Sadly, these instructions don't work from a fresh clone. There is onlyMakefile.am and no Makefile itself, so you get $ make authenticatemake: *** No rule to make target 'authenticate'. Stop. Moreover, I don't think running 'make authenticate' after 'git pull'would really work -- after you pulled, git-authenticate could've beenmodified, so the verify-commit you did earlier doesn't apply anymore. There's also the issue of trusting pre-inst-env, which is used to runthe verification. Should that be passed to 'git log --format=%H' next togit-authenticate.scm? This also applies to any scripts you use to drivethis process, like the Makefile. Regards,Kuba
(name . Jakub Kądziołka)(address . kuba@kadziolka.net)(address . 22883@debbugs.gnu.org)
87sgkqdqjn.fsf@gnu.org
Hello, Jakub Kądziołka <kuba@kadziolka.net> skribis:
Toggle quote (2 lines)> Ludovic Courtès wrote:
[...]
Toggle quote (39 lines)>> How do you ensure that you obtained a genuine copy of the repository?>> Guix itself provides a tool to “authenticate” your checkout, but you>> must first make sure this tool is genuine in order to “bootstrap” the>> trust chain. To do that, run:>> >> git verify-commit `git log --format=%H build-aux/git-authenticate.scm`>> >> The output must look something like:>> >> gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET>> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5>> ...>> gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET>> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5>> ...>> >> ... meaning that changes to this file are all signed with key>> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this>> key from a key server, if you have not done it yet).>> >> From there on, you can authenticate all the commits included in your>> checkout by running:>> >> make authenticate>> >> The first run takes a couple of minutes, but subsequent runs are>> faster.>> >> Note: You are advised to run ‘make authenticate’ after every ‘git>> pull’ invocation. This ensures you keep receiving valid changes to>> the repository>> --8<---------------cut here---------------end--------------->8--->> Sadly, these instructions don't work from a fresh clone. There is only> Makefile.am and no Makefile itself, so you get>> $ make authenticate> make: *** No rule to make target 'authenticate'. Stop.
Uh, good point.
Toggle quote (4 lines)> Moreover, I don't think running 'make authenticate' after 'git pull'> would really work -- after you pulled, git-authenticate could've been> modified, so the verify-commit you did earlier doesn't apply anymore.
It works as long as I’m the only one modifying it (the instructionsabove explicitly mention my OpenPGP key). This is obviously suboptimal though. In a comment in‘contributing.texi’, I wrote: @c XXX: Adjust instructions when there's a known tag to start from. That would simplify things.
Toggle quote (5 lines)> There's also the issue of trusting pre-inst-env, which is used to run> the verification. Should that be passed to 'git log --format=%H' next to> git-authenticate.scm? This also applies to any scripts you use to drive> this process, like the Makefile.
Yes, this ./pre-inst-env thing and more generally the fact that we’repotentially running just-pulled code to authenticate the code is aproblem. We can solve it by removing ./pre-inst-env from the command in ‘makeauthenticate’. It will require people to have a recent-enough Guixalready installed (in particular with commitf94f9d67e65975724ee5b5cbc936c0895a258685), but I think that’sunavoidable: the assumption will be that we trust the already-installedhost tools and use them to authenticate the new code. Thoughts? Ludo’.
Toggle quote (15 lines)>> You mentioned that checking signatures on commits is also kinda slow>> because it’s sequential and not cached. I don’t know what I really>> want, but is there perhaps a way to aggregate signatures on past commits>> so that the client’s work is reduced…?>> The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb> makes things acceptable: the first “make authenticate” run takes a bit> more than two minutes to check all the commits starting from ‘v1.0.1’,> but subsequent runs take a few seconds.>> I have plans to make things faster (independently of the cache) by doing> OpenPGP signature verification entirely in Scheme instead of spawning> ‘gpgv’ every time. Again, we’ll have to get a prototype before we can> tell whether it actually is faster.
I’ve been able to resume work on that in the ‘wip-openpgp’ branch: 5a86b96f54 git-authenticate: Use (guix openpgp). 4e66563449 openpgp: Add 'string->openpgp-packet'. dc0b5d5e01 openpgp: 'lookup-key-by-{id,fingerprint}' return the key first. 740d804621 openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible. 0157c5ef7f openpgp: Add 'lookup-key-by-fingerprint'. 31fc7cf080 openpgp: Store the issuer key id and fingerprint in <openpgp-signature>. c22bede3ce openpgp: Decode the issuer-fingerprint signature subpacket. 74d0d85e49 DRAFT Add (guix openpgp). At this stage, ‘make authenticate’ uses the pure-Scheme implementation(based on Göran Weinholt’s code, heavily modified). It can authenticate14K+ commits in ~20s instead of 4m20s on my laptop, which is really nice. Signature verification in (guix openpgp) does just that: signatureverification. It does not validate signature and key metadata, inparticular expiration date. I guess it should at least error out when asignature creation time is newer than its key expiration time. It should also reject SHA1 signatures, at least optionally (I haven’tchecked whether our Git history has any of these). I would very much welcome feedback and advice from an OpenPGP-savvyperson (I’ve Cc’d one to maximize the chances of success :-)). Next steps: • Clean up the (guix openpgp) API a bit, for instance by using proper SRFI-35 error conditions. Perhaps handle v5 packets too. • Load the keyring from files in the repo, possibly in a dedicated branch. • Load the list of authorized keys from the parent of the commit being authenticated. • Generalize that to channels. Ludo’.
Toggle quote (5 lines)> At this stage, ‘make authenticate’ uses the pure-Scheme implementation> (based on Göran Weinholt’s code, heavily modified). It can authenticate> 14K+ commits in ~20s instead of 4m20s on my laptop, which is really> nice.
Neat :)
Toggle quote (5 lines)> Signature verification in (guix openpgp) does just that: signature> verification. It does not validate signature and key metadata, in> particular expiration date. I guess it should at least error out when a> signature creation time is newer than its key expiration time.
Indeed. I skimmed both the original and the adapted code, and itnotably does no attempt to canonicalize the certificates in the keyring(i.e. checking binding signatures, lifetimes, revocations, (sub)keyflags...). While that is a bit dangerous, it is okay for a pointsolution for Guix, provided that this is properly documented andcommunicated. One can forgo canonicalization if one assumes that the keyring iscurated, and one has a good-list of (sub)keys fingerprints that areallowed to create signatures. Reading git-authentiate.scm that doesseem to be the case. (I bet that certificate canonicalization is the major reason why callingout to gpgv is so slow: it does that every time, and it involvessignature verification, which is slow (yes, I'm looking at you, RSA).)
Toggle quote (3 lines)> It should also reject SHA1 signatures, at least optionally (I haven’t> checked whether our Git history has any of these).
I believe it should. For reference, we reject SHA1 signatures forsignatures created since 2013.
Toggle quote (5 lines)> Next steps:>> • Clean up the (guix openpgp) API a bit, for instance by using proper> SRFI-35 error conditions. Perhaps handle v5 packets too.
Don't bother with v5 packets for now. The RFC is nowhere nearcompletion, and even if it is one day, it will be quite some time untilyou see these packets in the wild.
Toggle quote (17 lines)>> Signature verification in (guix openpgp) does just that: signature>> verification. It does not validate signature and key metadata, in>> particular expiration date. I guess it should at least error out when a>> signature creation time is newer than its key expiration time.>> Indeed. I skimmed both the original and the adapted code, and it> notably does no attempt to canonicalize the certificates in the keyring> (i.e. checking binding signatures, lifetimes, revocations, (sub)key> flags...). While that is a bit dangerous, it is okay for a point> solution for Guix, provided that this is properly documented and> communicated.>> One can forgo canonicalization if one assumes that the keyring is> curated, and one has a good-list of (sub)keys fingerprints that are> allowed to create signatures. Reading git-authentiate.scm that does> seem to be the case.
Yeah, the (guix openpgp) module is good enough for this narrow use case,but I agree that people shouldn’t view it as a viable signature-onlyOpenPGP implementation in the general case. I’ll clarify this at least in the source file.
Toggle quote (4 lines)> (I bet that certificate canonicalization is the major reason why calling> out to gpgv is so slow: it does that every time, and it involves> signature verification, which is slow (yes, I'm looking at you, RSA).)
I see.
Toggle quote (6 lines)>> It should also reject SHA1 signatures, at least optionally (I haven’t>> checked whether our Git history has any of these).>> I believe it should. For reference, we reject SHA1 signatures for> signatures created since 2013.
Sounds good, I’ll do that.
Toggle quote (9 lines)>> Next steps:>>>> • Clean up the (guix openpgp) API a bit, for instance by using proper>> SRFI-35 error conditions. Perhaps handle v5 packets too.>> Don't bother with v5 packets for now. The RFC is nowhere near> completion, and even if it is one day, it will be quite some time until> you see these packets in the wild.
Alright, even better. Thanks for taking the time to look into it! Ludo’.
Toggle quote (6 lines)> • Load the keyring from files in the repo, possibly in a dedicated> branch.>> • Load the list of authorized keys from the parent of the commit being> authenticated.
Done! 8916c2fa32 git-authenticate: Load the keyring from the repository. 6960064ddc git-authenticate: Load the list of authorized keys from the tree. f145a2d1a9 .guix-authorizations: Augment. 62ae43db19 git-authenticate: Use (guix openpgp). ‘git-authenticate’ now loads the keyring from the “keyring” branch,which I’ve just pushed as an “orphan” branch: https://git.savannah.gnu.org/cgit/guix.git/?h=keyring So no need to store the keyring out-of-band, to spawn gpg to fetch keysfrom somewhere else, etc. The idea is that we’ll keep adding new keysto this branch every time a new committer joins. We would never removekeys from there because those keys are necessary to verify signatures.The fact that a key is present on that branch does _not_ mean that itdesignates an authorized committer today. The list of authorized committers is meant to be stored in a‘.guix-authorizations’ file in each branch of the channel. It isessentially a list of fingerprints: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e To accept a new committer, an authorized committer must add its key tothis file in the branch(es) where that person is expected to commit.The format currently accepts additional data for each fingerprint. It’scurrently ignored, but I thought it could be useful in the future, forinstance if we want to associate a file pattern with a key. A commit is considered “authorized” if and only if its signing key islisted in the ‘.guix-authorizations’ file of its parent commit(s). In ‘git-authenticate’, this is implemented in a naive unoptimized way,but it turns out to make no noticeable difference on the wall-clock timeto authenticate those 14K+ commits. The crux of the authorizationmechanism is this procedure: (define* (commit-authorized-keys repository commit #:optional (default-authorizations '())) "Return the list of OpenPGP fingerprints authorized to sign COMMIT, based on authorizations listed in its parent commits. If one of the parent commits does not specify anything, fall back to DEFAULT-AUTHORIZATIONS." …) Feedback welcome! Ludo’.
Toggle quote (2 lines)> • Generalize that to channels.
As I see it, the generalization would be made by adding theauthentication parameters to the ‘.guix-channel’ file, along theselines: (channel (version 0) (keyring-reference "my-keyring-branch") (historical-authorizations ".guix-authorizations.old")) where: • ‘keyring-reference’ specifies the branch where to look for *.key files that constitute the keyring. It can be ‘master’ and have the key mixed up with other files if that’s OK for the channel. By default, it could be the current branch. • ‘historical-authorizations’ specifies a file to load in this branch and that contains a ‘.guix-authorizations’-formatted list of fingerprints for commits that lack a ‘.guix-authorizations’ file. By default, we could ignore historical commits—more specifically, commits whose parent(s) lack(s) ‘.guix-authorizations’. It does mean that if an authorized commit removes ‘.guix-authorizations’, then we’re back to unauthenticated commits. ‘guix pull’ would error out before attempting to build anything ifauthentication fails. It could display a warning when pulling a commitwhose parent(s) lack(s) ‘.guix-authorizations’. Thoughts? In terms of code, everything is already there, so it’d be mostly aboutmoving code around and double-checking the new data formats sincethey’ll be hard to change. In terms of processes, it’ll be tricky: if we committers make a mistake(sign with the wrong key, forget to add a new committer’s key, etc.),nobody is able to pull. In such a case, we’ll probably have to do ahard-reset of the affected branch. It would be best if we had a server-side hook to perform all thesechecks, so that we don’t encounter such problems. That would meanrunning some of this code on Savannah, I don’t know if it’ll bepossible. If it’s not, we can set up our own Git repo elsewhere andmake Savannah a mirror. More thoughts? :-) Ludo’.
Toggle quote (5 lines)> Next steps:>> • Clean up the (guix openpgp) API a bit, for instance by using proper> SRFI-35 error conditions.
Done the API cleanup. I’ll go ahead and push the current ‘wip-openpgp’branch (squashing commits marked as such) tomorrow if there are noobjections. The formats and mechanisms are not set in stone until this isgeneralized to channels, but we’re getting there. Now’s a good time toraise any concerns you may have, comrades! Ludo’.
Toggle quote (4 lines)> Done the API cleanup. I’ll go ahead and push the current ‘wip-openpgp’> branch (squashing commits marked as such) tomorrow if there are no> objections.
Pushed on master! 4a84deda74 doc: Recommend against SHA1 OpenPGP signatures. 84133320b8 doc: Document committer authorization. 05d973eef2 openpgp: Raise error conditions instead of calling 'error'. 041dc3a9c0 git-authenticate: Load the keyring from the repository. 92db1036b7 git-authenticate: Load the list of authorized keys from the tree. bee5b7a0f8 .guix-authorizations: Augment. 051a45e642 git-authenticate: Use (guix openpgp). b835e158d5 openpgp: Add 'string->openpgp-packet'. bd8126558d openpgp: 'lookup-key-by-{id,fingerprint}' return the key first. b45fa0a123 openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible. efe1f0122c openpgp: Add 'lookup-key-by-fingerprint'. 7b2b3a13cc openpgp: Store the issuer key id and fingerprint in <openpgp-signature>. 4459c7859c openpgp: Decode the issuer-fingerprint signature subpacket. 43408e304f Add (guix openpgp). c91e27c608 Add '.guix-authorizations'.
Toggle quote (4 lines)> The formats and mechanisms are not set in stone until this is> generalized to channels, but we’re getting there. Now’s a good time to> raise any concerns you may have, comrades!
Toggle quote (15 lines)> The list of authorized committers is meant to be stored in a> ‘.guix-authorizations’ file in each branch of the channel. It is> essentially a list of fingerprints:>> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e>> To accept a new committer, an authorized committer must add its key to> this file in the branch(es) where that person is expected to commit.> The format currently accepts additional data for each fingerprint. It’s> currently ignored, but I thought it could be useful in the future, for> instance if we want to associate a file pattern with a key.>> A commit is considered “authorized” if and only if its signing key is> listed in the ‘.guix-authorizations’ file of its parent commit(s).
The good news with this model is that an adversary cannot trick usersinto fetching an unrelated branch where the authorizations would bedifferent: they can always detect that it’s a disconnected branch orthat it’s not a fast-forward pull. The bad news is that this also prevents “unauthorized forks” in general.Unless Guix folks explicitly push a commit authorizing the key of theperson who forks, commits by that person will appear as unauthorized. So we need an extra mechanism to say: “this fork starts here”. However,modifications to that piece of information must be detectable so thatone cannot serve a malicious fork that pretends to forego history. Ludo’.
Toggle quote (13 lines)> The good news with this model is that an adversary cannot trick users> into fetching an unrelated branch where the authorizations would be> different: they can always detect that it’s a disconnected branch or> that it’s not a fast-forward pull.>> The bad news is that this also prevents “unauthorized forks” in general.> Unless Guix folks explicitly push a commit authorizing the key of the> person who forks, commits by that person will appear as unauthorized.>> So we need an extra mechanism to say: “this fork starts here”. However,> modifications to that piece of information must be detectable so that> one cannot serve a malicious fork that pretends to forego history.
We have two issues to address: (1) bootstraping trust in a channel thefirst time ‘guix pull’ obtains it, and (2) supporting “unauthorized”forks as described above. The two are very similar. I think we need a way to “introduce” a channel to its users that goesbeyond a mere URL. It should be possible to obtain a “channel introduction” out-of-band(i.e., not in the channel’s repo). For example, the introduction to theofficial ‘guix’ channel would be in ‘%default-channels’, in (guixchannels), which users obtained in the binary tarball or ISO. For otherchannels where there’s no practical out-of-band transmission of theintroduction, it would very much be trust-on-first-use (TOFU). I think the introduction needs to include: 1. The commit used as a starting point for ‘.guix-authorizations’ checks. 2. The OpenPGP fingerprint of the signer of this first commit. 3. A signature over this commit/fingerprint pair made by the signer of the commit.
Rationale~~~~~~~~~ 1. The ‘guix’ channel and others will have their authorization start long after their initial commit. Thus, authors need to state where to start the authentication process. (Currently the starting point is hard-coded in ‘Makefile.am’ and passed as an argument to ‘build-aux/git-authenticate.scm’.) If that information were stored in ‘.guix-channel’, it would be trivial for an attacker to fork the project (or push a new commit) and pretend the authentication process must not take previous commits into account. 2. The fingerprint of the signer of the initial commit makes it easy for ‘guix pull’ to verify that initial commit on its first clone. 3. The signature over the commit/fingerprint pair makes sure that it was emitted by an authorized party. Without it, anyone could emit a channel introduction that skips over a range of commits. 4. When publishing a fork of a channel, one emits a new channel introduction. Users switching to the fork have to explicitly allow that new channel via its introduction; flipping the URL won’t be enough because ‘guix pull’ would report unauthorized commits. 5. The channel URL is not included in the introduction. However, the official URL is an important piece of information: it tells users this is where they’ll get the latest updates. It should be possible to create mirrors, but by default users should go to the official URL. They should be aware that mirrors can be outdated. I think the official URL can be stored in ‘.guix-channel’ in the repo (which is subject to the authentication machinery). That way, ‘guix pull’ can let the user know if they’re talking to a mirror rather than to the official channel. Prototype~~~~~~~~~ The attached code creates channel introductions. One implementationuses a “compact” binary encoding, which, one encoded in Radix-64, lookslike this: -----BEGIN GUIX CHANNEL INTRODUCTION----- R1hDSQAAAAAAFJdEzHtGNvr7dyyUrbjwWWG1s58WPORkVYqE/cadtAz7CQsRmT2a67UCvaMBAbYC Sf2QDQMACgEJCxGZPZrrtQHLb2IAXtUHUCgoY29tbWl0ICI5NzQ0Y2M3YjQ2MzZmYWZiNzcyYzk0 YWRiOGYwNTk2MWI1YjM5ZjE2IikgKHNpZ25lciAiM2NlNDY0NTU4YTg0ZmRjNjlkYjQwY2ZiMDkw YjExOTkzZDlhZWJiNSIpKYkCMwQAAQoAHRYhBDzkZFWKhP3GnbQM+wkLEZk9muu1BQJe1QdQAAoJ EAkLEZk9muu1SlUQAIQVO6JeNmDywM5bAVIktX0VbPmPl0CNCt2oTN8jPZ30lwa3osckOEa2LqQv 0xP59n9tPUue8rXoACcdZ4RS7fZeWjn9qBGCr7h/cQIS0p7II08jHccovvEfgQGxqQCe5hZ++Ehv OyKV84bG3VOxLFe7B2wIqoIAtmFYCeNmqBfOixSWgzCwC/G5fh7frXR+O9BzvhfBVeFSgzgayNnu GxgO+Jx7ZhnxR8rRIxrOxCEUjbi8ilIhw++z4ea7g4yTFCkmpPY54HIhzgERanm0/iJUBj9nv9kQ TXnJ2dcFeZL7b+fWdh8kiKaTgYKV3BGQOKpdqSBQcV9Ys+FFJ+I5ZRCzmTxafPLmR8eGM3aT4Fld drCjSHga4hbppQJPpNyKsrhwJ4d5tLuLHYUNlXEhcYi11Uo2i30T+TbOynD/uWFRY1+s0ffI1LmX FhSaqk44jfQoXYeeS8FO471ze3087fsp2WVwNZ5kdPOFNa1Iv+uj/CDILsb4kooRrawQod2W7eb6 jMCayWCUApah22BisQepkFVtKeEAG6aSkIa6Haq4ZrEtzz9gu4n6Pmgv60+n3t77rb7GbPafdSKu LiJ8PeYSBR3II2YdjIn9PTQ75Xg90IeFxt5PF70q/yb/WoRTIokHFho1QEmbmAm1HBO8SVlmHG+X 8WFn7ex7cx3iYH6H =xZUu -----END GUIX CHANNEL INTRODUCTION----- (guix channels) could provide a ‘channel-introduction->channel’procedure. In ~/.config/guix/channels.scm, one would write: (list (channel-introduction->channel "https://…" "\-----BEGIN GUIX CHANNEL INTRODUCTION-----…")) The introduction needs to be decoded and checked only the first time‘guix pull’ encounters a channel. This verbose interface creates an incentive to create a ‘guix channel’command that could make it easier to add a new channel. Thoughts? Ludo’.
(use-modules(guix)(gcryptpk-crypto)(gcryptbase16)(gcryptbase64)(srfisrfi-1)(srfisrfi-71)(ice-9popen)(ice-9match)(guixutils)(guixbuildutils)((guixopenpgp)#:select(openpgp-format-fingerprint))(rnrsbytevectors)(rnrsioports))(defineurl"https://git.savannah.gnu.org/git/guix.git")(definecommit"9744cc7b4636fafb772c94adb8f05961b5b39f16")(definesigner(base16-string->bytevector"3ce464558a84fdc69db40cfb090b11993d9aebb5"))(define(sign-introductioncommitsigner)(let((pipepids(filtered-port(list(which"gpg")"-s""-u"(bytevector->base16-stringsigner))(open-input-string(object->string`((commit,commit)(signer,(bytevector->base16-stringsigner))))))))(let((bv(get-bytevector-allpipe)))(and(every(composezero?cdrwaitpid)pids)bv))))(define(channel-introductioncommitsigner)"Return an sexp representing a channel introduction."`(channel-introduction(version0)(commit,commit)(signer,(openpgp-format-fingerprintsigner))(signature,(base64-encode(sign-introductioncommitsigner)))))(define(radix-64-encodebv)(define(int24->bvint)(let((bv(make-bytevector3)))(bytevector-u8-set!bv0(ash(logandint#xff0000)-16))(bytevector-u8-set!bv1(ash(logandint#x00ff00)-8))(bytevector-u8-set!bv2(logandint#x0000ff))bv))(let((str(base64-encodebv)))(string-append"-----BEGIN GUIX CHANNEL INTRODUCTION-----\n\n"(insert-newlinesstr)"="(base64-encode(int24->bv((@@(guixopenpgp)crc24)bv)))"\n\n""-----END GUIX CHANNEL INTRODUCTION-----\n")))(define*(insert-newlinesstr#:optional(line-length76))"Insert newlines in STR every LINE-LENGTH characters."(letloop((result'())(strstr))(if(string-null?str)(string-concatenate-reverseresult)(let*((length(min(string-lengthstr)line-length))(prefix(string-takestrlength))(suffix(string-dropstrlength)))(loop(cons(string-appendprefix"\n")result)suffix)))))(radix-64-encode(string->utf8(object->string(channel-introductioncommitsigner))))(define(channel-introduction/compactcommitsigner)"Return a channel introduction as a bytevector, in compact binary
encoding."(let((portget(open-bytevector-output-port)))(put-bytevectorport(u8-list->bytevector(mapchar->integer(string->list"GXCI"))))(put-bytevectorport#vu8(0000));version
(let((commit(base16-string->bytevectorcommit))(len(make-bytevector2)))(bytevector-u16-set!len0(bytevector-lengthcommit)(endiannessbig))(put-bytevectorportlen)(put-bytevectorportcommit))(put-bytevectorportsigner)(let((signature(sign-introductioncommitsigner))(len(make-bytevector2)))(bytevector-u16-set!len0(bytevector-lengthsignature)(endiannessbig))(put-bytevectorportlen)(put-bytevectorportsignature))(force-outputport)(get)))(radix-64-encode(channel-introduction/compactcommitsigner))
Hi Ludo, I like this idea a lot since I use a checkout which I guess constitutesa "fork" in this scenario. I opened bug#41604(http://issues.guix.gnu.org/issue/41604)after having trouble with arebase based workflow. Some of my problems certainly come from my lackof understanding of the authentication process and machinery. Would thechannel introduction allow me to use the rebase workflow in my checkout? I am not sure I am clear on how I would setup an introduction for mylocal checkout. Heck, I am still trying to figure out how to add myselfas a signer to my patches on top of master. Thanks as always, John
Hi Ludo, Really cool!Well, even if I am not enough clever to understand all that.
On Mon, 1 Jun 2020 at 16:08, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (3 lines)> I think we need a way to “introduce” a channel to its users that goes> beyond a mere URL.
Just to be sure to well understand, will the good ol'~/.config/guix/channels.scm
Toggle snippet (7 lines) ;; Tell 'guix pull' to use my own repo. (list (channel (name 'guix) (url "https://example.org/my-guix.git") (branch "super-hacks")))
still work as it is now? i.e., using the current "unauthorized"mechanism. Or will a new keyword be added to this channel descriptionto say "this channel does not use authorized machinery but it isfine"?
Toggle quote (5 lines)> If that information were stored in ‘.guix-channel’, it would be> trivial for an attacker to fork the project (or push a new commit)> and pretend the authentication process must not take previous> commits into account.
What will happen to recursive '.guix-channel'? The '.guix-channel' ofchannel A contains the reference to the channel B where the'.guix-channel' contains the reference to the channel C, etc.
Toggle quote (5 lines)> 4. When publishing a fork of a channel, one emits a new channel> introduction. Users switching to the fork have to explicitly allow> that new channel via its introduction; flipping the URL won’t be> enough because ‘guix pull’ would report unauthorized commits.
I am a bit afraid by this... and I hope that a fork of a channel willstill work without emitting a new channel introduction.
Toggle quote (6 lines)> 5. The channel URL is not included in the introduction. However, the> official URL is an important piece of information: it tells users> this is where they’ll get the latest updates. It should be> possible to create mirrors, but by default users should go to the> official URL. They should be aware that mirrors can be outdated.
I do not understand this paragraph. The aim of mirrors is to avoidthe users to go to the official URL, isn't it? And the mirrors do nothave by design the latest updates (time to propagate, etc.).
Toggle quote (5 lines)> I think the official URL can be stored in ‘.guix-channel’ in the> repo (which is subject to the authentication machinery). That way,> ‘guix pull’ can let the user know if they’re talking to a mirror> rather than to the official channel.
Why does it matter? The user should authenticate the downloadedcontent whatever the URL serving it, isn't it?And can 'guix pull' already let the users know to who they are talking?
Toggle quote (3 lines)> This verbose interface creates an incentive to create a ‘guix channel’> command that could make it easier to add a new channel.
(name . John Soo)(address . jsoo1@asu.edu)(address . 22883@debbugs.gnu.org)
874krsqysu.fsf@gnu.org
Hi, John Soo <jsoo1@asu.edu> skribis:
Toggle quote (7 lines)> I like this idea a lot since I use a checkout which I guess constitutes> a "fork" in this scenario. I opened bug#41604> (http://issues.guix.gnu.org/issue/41604) after having trouble with a> rebase based workflow. Some of my problems certainly come from my lack> of understanding of the authentication process and machinery. Would the> channel introduction allow me to use the rebase workflow in my checkout?
No. Note that the authentication code is not used at all by ‘guix pull’currently. When all this is in place, channel introductions would behow you publish your own channel such that ‘guix pull’ can consume it.But as I wrote in the other issue, a rebase workflow is not supported by‘guix pull’ (just like it’s not supported by ‘git pull’ actually). HTH! Ludo’.
Toggle quote (19 lines)> On Mon, 1 Jun 2020 at 16:08, Ludovic Courtès <ludo@gnu.org> wrote:>>> I think we need a way to “introduce” a channel to its users that goes>> beyond a mere URL.>> Just to be sure to well understand, will the good ol'> ~/.config/guix/channels.scm>> ;; Tell 'guix pull' to use my own repo.> (list (channel> (name 'guix)> (url "https://example.org/my-guix.git")> (branch "super-hacks")))>> still work as it is now? i.e., using the current "unauthorized"> mechanism. Or will a new keyword be added to this channel description> to say "this channel does not use authorized machinery but it is> fine"?
Yeah, we have to keep it working. So I guess in that case it would justemit a warning saying this channel is not authenticated, and that’s it.
Toggle quote (9 lines)>> If that information were stored in ‘.guix-channel’, it would be>> trivial for an attacker to fork the project (or push a new commit)>> and pretend the authentication process must not take previous>> commits into account.>> What will happen to recursive '.guix-channel'? The '.guix-channel' of> channel A contains the reference to the channel B where the> '.guix-channel' contains the reference to the channel C, etc.
I’m not sure I understand. (The sentence above is about *not* storinginfo in ‘.guix-channel’.)
Toggle quote (8 lines)>> 4. When publishing a fork of a channel, one emits a new channel>> introduction. Users switching to the fork have to explicitly allow>> that new channel via its introduction; flipping the URL won’t be>> enough because ‘guix pull’ would report unauthorized commits.>> I am a bit afraid by this... and I hope that a fork of a channel will> still work without emitting a new channel introduction.
No, when publishing a fork of an authenticated channel, you’ll have topublish its introduction alongside its URL. I think it’s unavoidable: we want to be able to distinguish between amirror that has been tampered with and a fork.
Toggle quote (20 lines)>> 5. The channel URL is not included in the introduction. However, the>> official URL is an important piece of information: it tells users>> this is where they’ll get the latest updates. It should be>> possible to create mirrors, but by default users should go to the>> official URL. They should be aware that mirrors can be outdated.>> I do not understand this paragraph. The aim of mirrors is to avoid> the users to go to the official URL, isn't it? And the mirrors do not> have by design the latest updates (time to propagate, etc.).>>>> I think the official URL can be stored in ‘.guix-channel’ in the>> repo (which is subject to the authentication machinery). That way,>> ‘guix pull’ can let the user know if they’re talking to a mirror>> rather than to the official channel.>> Why does it matter? The user should authenticate the downloaded> content whatever the URL serving it, isn't it?> And can 'guix pull' already let the users know to who they are talking?
You’re right: ideally the URL wouldn’t matter at all. However, from asecurity perspective, we not only want to make sure users get genuinecommits, we also want to know they’re not talking to a possibly outdatedmirror. Since there’s no way to answer the question “is this the latest commit?”in a general way, the best we can do, I think, is to detect whetherwe’re talking to the “official” Git repo. Thanks for your feedback! Ludo’.
Hi Ludo, Thank you for the explanations. On Wed, 3 Jun 2020 at 11:50, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (15 lines)> zimoun <zimon.toutoune@gmail.com> skribis:> > On Mon, 1 Jun 2020 at 16:08, Ludovic Courtès <ludo@gnu.org> wrote: > >> If that information were stored in ‘.guix-channel’, it would be> >> trivial for an attacker to fork the project (or push a new commit)> >> and pretend the authentication process must not take previous> >> commits into account.> >> > What will happen to recursive '.guix-channel'? The '.guix-channel' of> > channel A contains the reference to the channel B where the> > '.guix-channel' contains the reference to the channel C, etc.>> I’m not sure I understand. (The sentence above is about *not* storing> info in ‘.guix-channel’.)
Sorry, I have misread.The question about recursive still applies. ;-)Currently, if the local channel file points to a channel A whichcontains the file '.guix-channel' which points to another channel B,then when one runs "guix pull" well the channel A will be pulled andthen the channel B, even if this channel B is not explicit in theinitial local channel. (Even, there is bug about recursive implicitpulls, see http://issues.guix.gnu.org/issue/41069;well anotherstory.) What happens for such situation?
Toggle quote (20 lines)> >> I think we need a way to “introduce” a channel to its users that goes> >> beyond a mere URL.> >> > Just to be sure to well understand, will the good ol'> > ~/.config/guix/channels.scm> >> > ;; Tell 'guix pull' to use my own repo.> > (list (channel> > (name 'guix)> > (url "https://example.org/my-guix.git")> > (branch "super-hacks")))> >> > still work as it is now? i.e., using the current "unauthorized"> > mechanism. Or will a new keyword be added to this channel description> > to say "this channel does not use authorized machinery but it is> > fine"?>> Yeah, we have to keep it working. So I guess in that case it would just> emit a warning saying this channel is not authenticated, and that’s it.
[...]
Toggle quote (11 lines)> >> 4. When publishing a fork of a channel, one emits a new channel> >> introduction. Users switching to the fork have to explicitly allow> >> that new channel via its introduction; flipping the URL won’t be> >> enough because ‘guix pull’ would report unauthorized commits.> >> > I am a bit afraid by this... and I hope that a fork of a channel will> > still work without emitting a new channel introduction.>> No, when publishing a fork of an authenticated channel, you’ll have to> publish its introduction alongside its URL.
I do not understand your two answers. Well, there is 4 situationswhen publishing: 1- an authenticated fork of an authenticated channel 2- an authenticated fork of an unauthenticated channel 3- an unauthenticated fork of an authenticated channel 4- an unauthenticated fork of an unauthenticated channel "authenticated channel" means a channel using all the authentication machinery."authenticated fork" means add a "channel introduction" and so becomea "authenticate channel" then. Today, we are in the situation 4. and we are going to the 1. if Iunderstand correctly.And if I understand your answer above about good ol' channel, the 4.will still work and emit a warning, isn't it?What about the 2. and 3.? These situations correspond to: 1- the correct way2- bootstrap the trust3- and 4- quick and dirty "Scientific" workflows where the security isnot a concern.
Toggle quote (3 lines)> I think it’s unavoidable: we want to be able to distinguish between a> mirror that has been tampered with and a fork.
I understand. But this break the symmetry and the distributed modelof Guix, IMHO.
Toggle quote (24 lines)> >> 5. The channel URL is not included in the introduction. However, the> >> official URL is an important piece of information: it tells users> >> this is where they’ll get the latest updates. It should be> >> possible to create mirrors, but by default users should go to the> >> official URL. They should be aware that mirrors can be outdated.> >> > I do not understand this paragraph. The aim of mirrors is to avoid> > the users to go to the official URL, isn't it? And the mirrors do not> > have by design the latest updates (time to propagate, etc.).> >> >> I think the official URL can be stored in ‘.guix-channel’ in the> >> repo (which is subject to the authentication machinery). That way,> >> ‘guix pull’ can let the user know if they’re talking to a mirror> >> rather than to the official channel.> >> > Why does it matter? The user should authenticate the downloaded> > content whatever the URL serving it, isn't it?> > And can 'guix pull' already let the users know to who they are talking?>> You’re right: ideally the URL wouldn’t matter at all. However, from a> security perspective, we not only want to make sure users get genuine> commits, we also want to know they’re not talking to a possibly outdated> mirror.
Genuine commits and outdated mirrors are separated questions, IMHO.
Toggle quote (4 lines)> Since there’s no way to answer the question “is this the latest commit?”> in a general way, the best we can do, I think, is to detect whether> we’re talking to the “official” Git repo.
What does "official" mean here? To me, it means commits that I trust,i.e., approved by an authority. My local clone is not less "official"than the repo on Savannah. I do not understand why the question “is this the latest commit?” hasto be answered. If an user wants the latest commits, then theydirectly pulls from upstream, i.e, from Savannah. If an user wants topull from a mirror for whatever reasons, then they knows that the lastupdates are not necessary there, since it is a mirror and not upstream-- and it is the responsibility of the mirror maintainer to keep itup-to-date. However, what the user wants to know is whether themirror has not introduced malicious commits.
Toggle quote (28 lines)> On Wed, 3 Jun 2020 at 11:50, Ludovic Courtès <ludo@gnu.org> wrote:>> zimoun <zimon.toutoune@gmail.com> skribis:>> > On Mon, 1 Jun 2020 at 16:08, Ludovic Courtès <ludo@gnu.org> wrote:>>> >> If that information were stored in ‘.guix-channel’, it would be>> >> trivial for an attacker to fork the project (or push a new commit)>> >> and pretend the authentication process must not take previous>> >> commits into account.>> >>> > What will happen to recursive '.guix-channel'? The '.guix-channel' of>> > channel A contains the reference to the channel B where the>> > '.guix-channel' contains the reference to the channel C, etc.>>>> I’m not sure I understand. (The sentence above is about *not* storing>> info in ‘.guix-channel’.)>> Sorry, I have misread.> The question about recursive still applies. ;-)> Currently, if the local channel file points to a channel A which> contains the file '.guix-channel' which points to another channel B,> then when one runs "guix pull" well the channel A will be pulled and> then the channel B, even if this channel B is not explicit in the> initial local channel. (Even, there is bug about recursive implicit> pulls, see http://issues.guix.gnu.org/issue/41069; well another> story.)>> What happens for such situation?
Nothing special, I guess: each channel would be authenticated (or not,if it’s an unsigned channel). I think it’s completely orthogonal.
Toggle quote (23 lines)>> >> 4. When publishing a fork of a channel, one emits a new channel>> >> introduction. Users switching to the fork have to explicitly allow>> >> that new channel via its introduction; flipping the URL won’t be>> >> enough because ‘guix pull’ would report unauthorized commits.>> >>> > I am a bit afraid by this... and I hope that a fork of a channel will>> > still work without emitting a new channel introduction.>>>> No, when publishing a fork of an authenticated channel, you’ll have to>> publish its introduction alongside its URL.>> I do not understand your two answers. Well, there is 4 situations> when publishing:>> 1- an authenticated fork of an authenticated channel> 2- an authenticated fork of an unauthenticated channel> 3- an unauthenticated fork of an authenticated channel> 4- an unauthenticated fork of an unauthenticated channel>> "authenticated channel" means a channel using all the authentication machinery.> "authenticated fork" means add a "channel introduction" and so become> a "authenticate channel" then.
I’m sorry, I don’t follow the terminology.
Toggle quote (13 lines)> Today, we are in the situation 4. and we are going to the 1. if I> understand correctly.> And if I understand your answer above about good ol' channel, the 4.> will still work and emit a warning, isn't it?> What about the 2. and 3.?>> These situations correspond to:>> 1- the correct way> 2- bootstrap the trust> 3- and 4- quick and dirty "Scientific" workflows where the security is> not a concern.
Funny how “scientific” has become synonymous with “quick-and-dirty”these days… […]
Toggle quote (20 lines)> Genuine commits and outdated mirrors are separated questions, IMHO.>>>> Since there’s no way to answer the question “is this the latest commit?”>> in a general way, the best we can do, I think, is to detect whether>> we’re talking to the “official” Git repo.>> What does "official" mean here? To me, it means commits that I trust,> i.e., approved by an authority. My local clone is not less "official"> than the repo on Savannah.>> I do not understand why the question “is this the latest commit?” has> to be answered. If an user wants the latest commits, then they> directly pulls from upstream, i.e, from Savannah. If an user wants to> pull from a mirror for whatever reasons, then they knows that the last> updates are not necessary there, since it is a mirror and not upstream> -- and it is the responsibility of the mirror maintainer to keep it> up-to-date. However, what the user wants to know is whether the> mirror has not introduced malicious commits.
Guix is a software supply tool. There are two important securityquestions a software supply client must address: “am I getting theauthentic stuff?”, and “am I getting the latest stuff?”. The first oneis obvious, the second one relates to “downgrade attacks” which canintroduce known security vulnerabilities. Things like The Update Framework (TUF) address both, but they do that ina context that’s technically “like Debian” (binary distro) and verydifferent from Guix. Yet, these two issues must also be addressed in Guix, like in any otherdistro. What we’ve been discussing here addresses the first question. For thesecond question, the best answer I came up with is that of an “officialURL”, allowing users to know the URL that should give them the lateststuff. “Official” means that it genuinely comes from the organization Ientrusted with my computer, be it the Guix project, another organizationmaintaining a Guix fork, or an organization maintaining a Guix channel. I hope that makes sense. Thanks,Ludo’.
Toggle diff (24 lines)diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scmindex 6d71228d72..4795ccf12a 100644--- a/guix/git-authenticate.scm+++ b/guix/git-authenticate.scm@@ -248,13 +248,13 @@ an OpenPGP keyring." #:key (default-authorizations '()) (keyring-reference "keyring")+ (keyring (load-keyring-from-reference+ repository keyring-reference)) (report-progress (const #t))) "Authenticate COMMITS, a list of commit objects, calling REPORT-PROGRESS for each of them. Return an alist showing the number of occurrences of each key.-The OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY."- (define keyring- (load-keyring-from-reference repository keyring-reference))-+If KEYRING is omitted, the OpenPGP keyring is loaded from KEYRING-REFERENCE in+REPOSITORY." (fold (lambda (commit stats) (report-progress) (let ((signer (authenticate-commit repository commit keyring-- 2.26.2
This should come before patching, authentication, etc. * guix/channels.scm (latest-channel-instance): Add #:validate-pullparameter and honor it. Return a single value: the instance.(ensure-forward-channel-update): Change 'instance' parameter to 'commit'and adjust accordingly.(latest-channel-instances): Adjust to 'latest-channel-instance' changes.* guix/scripts/pull.scm (warn-about-backward-updates): Change 'instance'parameter to 'commit' and adjust accordingly.* tests/channels.scm ("latest-channel-instances #:validate-pull"):Likewise.--- guix/channels.scm | 37 ++++++++++++++++++++----------------- guix/scripts/pull.scm | 10 ++++------ tests/channels.scm | 4 ++-- 3 files changed, 26 insertions(+), 25 deletions(-)
Toggle diff (128 lines)diff --git a/guix/channels.scm b/guix/channels.scmindex c2ea0e26ff..6047b51010 100644--- a/guix/channels.scm+++ b/guix/channels.scm@@ -376,9 +376,12 @@ commits ~a to ~a (~h new commits)...~%") (define* (latest-channel-instance store channel #:key (patches %patches)- starting-commit)- "Return two values: the latest channel instance for CHANNEL, and its-relation to STARTING-COMMIT when provided."+ starting-commit+ (validate-pull+ ensure-forward-channel-update))+ "Return the latest channel instance for CHANNEL. When STARTING-COMMIT is+true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and+their relation." (define (dot-git? file stat) (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat))))@@ -387,6 +390,9 @@ relation to STARTING-COMMIT when provided." (update-cached-checkout (channel-url channel) #:ref (channel-reference channel) #:starting-commit starting-commit)))+ (when relation+ (validate-pull channel starting-commit commit relation))+ (if (channel-introduction channel) (authenticate-channel channel checkout commit) ;; TODO: Warn for all the channels once the authentication interface@@ -403,12 +409,11 @@ relation to STARTING-COMMIT when provided." (let* ((name (url+commit->name (channel-url channel) commit)) (checkout (add-to-store store name #t "sha256" checkout #:select? (negate dot-git?))))- (values (channel-instance channel commit checkout)- relation))))+ (channel-instance channel commit checkout))))-(define (ensure-forward-channel-update channel start instance relation)+(define (ensure-forward-channel-update channel start commit relation) "Raise an error if RELATION is not 'ancestor, meaning that START is not an-ancestor of the commit in INSTANCE, unless CHANNEL specifies a commit.+ancestor of COMMIT, unless CHANNEL specifies a commit. This procedure implements a channel update policy meant to be used as a #:validate-pull argument."@@ -422,8 +427,7 @@ This procedure implements a channel update policy meant to be used as a (format #f (G_ "\ aborting update of channel '~a' to commit ~a, which is not a descendant of ~a") (channel-name channel)- (channel-instance-commit instance)- start))))+ commit start)))) ;; If the user asked for a specific commit, they might want ;; that to happen nevertheless, so tell them about the@@ -482,14 +486,13 @@ depending on the policy it implements." (G_ "Updating channel '~a' from Git repository at '~a'...~%") (channel-name channel) (channel-url channel))- (let*-values (((current)- (current-commit (channel-name channel)))- ((instance relation)- (latest-channel-instance store channel- #:starting-commit- current)))- (when relation- (validate-pull channel current instance relation))+ (let* ((current (current-commit (channel-name channel)))+ (instance+ (latest-channel-instance store channel+ #:validate-pull+ validate-pull+ #:starting-commit+ current))) (let-values (((new-instances new-channels) (loop (channel-instance-dependencies instance)diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scmindex c386d81b8e..d3d0d2bd64 100644--- a/guix/scripts/pull.scm+++ b/guix/scripts/pull.scm@@ -195,20 +195,18 @@ Download and deploy the latest version of Guix.\n")) %standard-build-options))-(define (warn-about-backward-updates channel start instance relation)- "Warn about non-forward updates of CHANNEL from START to INSTANCE, without+(define (warn-about-backward-updates channel start commit relation)+ "Warn about non-forward updates of CHANNEL from START to COMMIT, without aborting." (match relation ((or 'ancestor 'self) #t) ('descendant (warning (G_ "rolling back channel '~a' from ~a to ~a~%")- (channel-name channel) start- (channel-instance-commit instance)))+ (channel-name channel) start commit)) ('unrelated (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%")- (channel-name channel) start- (channel-instance-commit instance)))))+ (channel-name channel) start commit)))) (define* (display-profile-news profile #:key concise? current-is-newer?)diff --git a/tests/channels.scm b/tests/channels.scmindex 2c857083e9..5f13a48ec1 100644--- a/tests/channels.scm+++ b/tests/channels.scm@@ -212,12 +212,12 @@ (commit (oid->string (commit-id commit2))))) (old (channel (inherit spec) (commit (oid->string (commit-id commit1))))))- (define (validate-pull channel current instance relation)+ (define (validate-pull channel current commit relation) (return (and (eq? channel old) (string=? (oid->string (commit-id commit2)) current) (string=? (oid->string (commit-id commit1))- (channel-instance-commit instance))+ commit) relation))) (with-store store-- 2.26.2
This is useful when people run "guix time-machine -C channels.scm",where 'channels.scm' misses channel introductions. * guix/channels.scm (%default-channel-url): New variable.(%default-channels): Use it.(ensure-default-introduction): New procedure.(latest-channel-instance): Call it.--- guix/channels.scm | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-)
Toggle diff (51 lines)diff --git a/guix/channels.scm b/guix/channels.scmindex 6047b51010..43ddff6f7c 100644--- a/guix/channels.scm+++ b/guix/channels.scm@@ -148,18 +148,32 @@ "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))) #f)) ;TODO: Add an intro signature so it can be exported.+(define %default-channel-url+ ;; URL of the default 'guix' channel.+ "https://git.savannah.gnu.org/git/guix.git")+ (define %default-channels ;; Default list of channels. (list (channel (name 'guix) (branch "master")- (url "https://git.savannah.gnu.org/git/guix.git")+ (url %default-channel-url) (introduction %guix-channel-introduction)))) (define (guix-channel? channel) "Return true if CHANNEL is the 'guix' channel." (eq? 'guix (channel-name channel)))+(define (ensure-default-introduction chan)+ "If CHAN represents the \"official\" 'guix' channel and lacks an+introduction, add it."+ (if (and (guix-channel? chan)+ (not (channel-introduction chan))+ (string=? (channel-url chan) %default-channel-url))+ (channel (inherit chan)+ (introduction %guix-channel-introduction))+ chan))+ (define-record-type <channel-instance> (channel-instance channel commit checkout) channel-instance?@@ -386,7 +400,9 @@ their relation." (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat))))- (let-values (((checkout commit relation)+ (let-values (((channel)+ (ensure-default-introduction channel))+ ((checkout commit relation) (update-cached-checkout (channel-url channel) #:ref (channel-reference channel) #:starting-commit starting-commit)))-- 2.26.2
Toggle diff (146 lines)diff --git a/doc/guix.texi b/doc/guix.texiindex 6fcb47970b..8131b3bf0d 100644--- a/doc/guix.texi+++ b/doc/guix.texi@@ -3927,6 +3927,20 @@ Make sure you understand its security implications before using @option{--allow-downgrades}. @end quotation+@item --disable-authentication+Allow pulling channel code without authenticating it.++@cindex authentication, of channel code+By default, @command{guix pull} authenticates code downloaded from+channels by verifying that its commits are signed by authorized+developers, and raises an error if this is not the case. This option+instructs it to not perform any such verification.++@quotation Note+Make sure you understand its security implications before using+@option{--disable-authentication}.+@end quotation+ @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead ofdiff --git a/guix/channels.scm b/guix/channels.scmindex 43ddff6f7c..9e6adda5e9 100644--- a/guix/channels.scm+++ b/guix/channels.scm@@ -391,11 +391,12 @@ commits ~a to ~a (~h new commits)...~%") (define* (latest-channel-instance store channel #:key (patches %patches) starting-commit+ (authenticate? #f) (validate-pull ensure-forward-channel-update)) "Return the latest channel instance for CHANNEL. When STARTING-COMMIT is true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and-their relation."+their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated." (define (dot-git? file stat) (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat))))@@ -409,13 +410,15 @@ their relation." (when relation (validate-pull channel starting-commit commit relation))- (if (channel-introduction channel)- (authenticate-channel channel checkout commit)- ;; TODO: Warn for all the channels once the authentication interface- ;; is public.- (when (guix-channel? channel)- (warning (G_ "the code of channel '~a' cannot be authenticated~%")- (channel-name channel))))+ (if authenticate?+ (if (channel-introduction channel)+ (authenticate-channel channel checkout commit)+ ;; TODO: Warn for all the channels once the authentication interface+ ;; is public.+ (when (guix-channel? channel)+ (warning (G_ "the code of channel '~a' cannot be authenticated~%")+ (channel-name channel))))+ (warning (G_ "channel authentication disabled~%"))) (when (guix-channel? channel) ;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is@@ -463,11 +466,15 @@ allow non-forward updates.")))))))))) (define* (latest-channel-instances store channels #:key (current-channels '())+ (authenticate? #t) (validate-pull ensure-forward-channel-update)) "Return a list of channel instances corresponding to the latest checkouts of CHANNELS and the channels on which they depend.+When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a+\"channel introduction\".+ CURRENT-CHANNELS is the list of currently used channels. It is compared against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called for each channel update and can choose to emit warnings or raise an error,@@ -505,6 +512,8 @@ depending on the policy it implements." (let* ((current (current-commit (channel-name channel))) (instance (latest-channel-instance store channel+ #:authenticate?+ authenticate? #:validate-pull validate-pull #:starting-commitdiff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scmindex d3d0d2bd64..f953957161 100644--- a/guix/scripts/pull.scm+++ b/guix/scripts/pull.scm@@ -82,6 +82,7 @@ (graft? . #t) (debug . 0) (verbosity . 1)+ (authenticate-channels? . #t) (validate-pull . ,ensure-forward-channel-update))) (define (show-help)@@ -97,6 +98,9 @@ Download and deploy the latest version of Guix.\n")) --branch=BRANCH download the tip of the specified BRANCH")) (display (G_ " --allow-downgrades allow downgrades to earlier channel revisions"))+ (display (G_ "+ --disable-authentication+ disable channel authentication")) (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ "@@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n")) (lambda (opt name arg result) (alist-cons 'validate-pull warn-about-backward-updates result)))+ (option '("disable-authentication") #f #f+ (lambda (opt name arg result)+ (alist-cons 'authenticate-channels? #f result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg)@@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead.")) (channels (channel-list opts)) (profile (or (assoc-ref opts 'profile) %current-profile)) (current-channels (profile-channels profile))- (validate-pull (assoc-ref opts 'validate-pull)))+ (validate-pull (assoc-ref opts 'validate-pull))+ (authenticate? (assoc-ref opts 'authenticate-channels?))) (cond ((assoc-ref opts 'query) (process-query opts profile)) ((assoc-ref opts 'generation)@@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead.")) #:current-channels current-channels #:validate-pull- validate-pull)))+ validate-pull+ #:authenticate?+ authenticate?))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%"-- 2.26.2
Toggle quote (6 lines)> This patch series does it! It integrates checkout authentication> with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.> automatically authenticate the commits they fetch and raise an> error if they find an unsigned commit or a commit signed by an> unauthorized party¹.
Something we didn’t discuss is that this model forbids a merge-requestkind of workflow, or at least the person who merges must sign thecommits, rewriting the merged branch. I think it’s a reasonable tradeoff in this space, but it’s worthkeeping in mind. Ludo’.
Toggle quote (6 lines)> This patch series does it! It integrates checkout authentication> with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.> automatically authenticate the commits they fetch and raise an> error if they find an unsigned commit or a commit signed by an> unauthorized party¹.
Last days to comment on this change! :-) https://issues.guix.gnu.org/41767 If there are no objections by then, I’ll push on Tuesday 16th. Ludo’.
Toggle quote (12 lines)> git-authenticate: Cache takes a key parameter.> git-authenticate: 'authenticate-commits' takes a #:keyring parameter.> tests: Move OpenPGP helpers to (guix tests gnupg).> channels: 'latest-channel-instance' authenticates Git checkouts.> channels: Make 'validate-pull' call right after clone/pull.> .guix-channel: Add 'keyring-reference'.> channels: Automatically add introduction for the official 'guix'> channel.> pull: Add '--disable-authentication'.> DROP? channels: Add prehistorical authorizations to> <channel-introduction>.
Pushed! 619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default. 838ac881ec time-machine: Add '--disable-authentication'. a9eeeaa6ae pull: Add '--disable-authentication'. c3f6f564e9 channels: Automatically add introduction for the official 'guix' channel. a941e8fe1f .guix-channel: Add 'keyring-reference'. 5bafc70d1e channels: Make 'validate-pull' call right after clone/pull. 43badf261f channels: 'latest-channel-instance' authenticates Git checkouts. 1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg). 41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring parameter. a450b4343b git-authenticate: Cache takes a key parameter. I made the following changes: 1. The introductory of the ‘guix’ channel is now 9edb3f66fd807b096b48283debdcddccfea34bad (was 87a40d7203a813921b3ef0805c2b46c0026d6c31). This is because one of the parents of 9edb3f66fd807b096b48283debdcddccfea34bad lacks ‘.guix-authorizations’. Consider it set in stone now! 2. I added ‘--disable-authentication’ for ‘guix time-machine’ in a extra commit (it was easier than I thought because we don’t need to disable inferior caching). 3. In an extra commit, I made “make authenticate” behave like ‘guix pull’ by default—i.e., assume that commits whose parent lack the ‘.guix-authorizations’ file are unauthorized. It’s still possible to run “make authenticate GUIX_USE_HISTORICAL_AUTHORIZATIONS=yes” to assume “historical authorizations” for those commits. Future work includes making that mechanism available to third-partychannels, which in turn means providing a public interface for “channelintroductions” and probably a ‘guix channel’ CLI, as discussed earlier. Let me know if you notice anything wrong! Ludo’.
Toggle quote (13 lines)> Pushed!>> 619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default.> 838ac881ec time-machine: Add '--disable-authentication'.> a9eeeaa6ae pull: Add '--disable-authentication'.> c3f6f564e9 channels: Automatically add introduction for the official 'guix' channel.> a941e8fe1f .guix-channel: Add 'keyring-reference'.> 5bafc70d1e channels: Make 'validate-pull' call right after clone/pull.> 43badf261f channels: 'latest-channel-instance' authenticates Git checkouts.> 1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg).> 41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring parameter.> a450b4343b git-authenticate: Cache takes a key parameter.
Like I wrote, there’s still work to be done in this area, but at leastwe can now have the pleasure to close this 4-year old bug. \o/ https://issues.guix.gnu.org/22883 Ludo’.