[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signed archives
|
From: |
Ludovic Courtès |
|
Subject: |
Re: Signed archives |
|
Date: |
Fri, 21 Feb 2014 22:17:29 +0100 |
|
User-agent: |
Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) |
Hello,
Sorry for the delay!
Nikita Karetnikov <address@hidden> skribis:
> 1. Will hydra.gnu.org serve only signed .narinfo files?
Hydra (the software) can do both, but hydra.gnu.org will sign
everything.
> 2. If not, how can one opt out of verifying while using ‘guix
> substitute-binary’? Should we add an option to ‘guix package’ and
> ‘guix build’?
In general, I don’t think we’d want to opt out.
Technically there’s also the problem that substitute-binary is spawned
by the daemon, so we have no direct way to communicate with it.
> 3. How does a user get Hydra’s public key?
I imagine we could distribute it with Guix tarballs, in the repo, and
perhaps also on ftp.gnu.org GPG-signed by myself (say).
> 4. Will the entire cache be signed with a single key? (Mark, would you
> like to add something?)
(I think “cache” is ambiguous here.) All the archives served by Hydra
will be signed.
> 5. When do we want to verify the .narinfo file? Can it be done in
> ‘read-narinfo’?
I think so, yes, and raise an error if there’s a signature issue, as
done in ‘restore-file-set’, in nar.scm.
(IIRC what’s implemented in Hydra, only .narinfos are signed, and not
the archives themselves, right?)
> Similarly, should we sign and base64-encode in ‘write-narinfo’?
Currently ‘write-narinfo’ is used only internally, when populating the
local narinfo lookup cache. So there’s no need to sign things here (it
will be useful when we have an HTTP server that can publish archives
using the same protocol.)
However, the local lookup cache should probably keep the signatures it
got from hydra.gnu.org, unchanged. Thus, ‘write-narinfo’ should do the
right thing to preserve the ‘Signature’ field.
> 6. Where should ‘guix substitute-binary’ look for a keypair?
It should use ‘authorized-key?’ from (guix pki), which in turn loads the
ACL from $sysconfdir (info "(guix) Invoking guix archive").
> 7. How do we determine that a file is signed with a trusted key? What
> if we don’t have the needed public key? Does it mean we miss the
> right one, or is it a MITM attack?
‘authorized-key?’ will DTRT. :-)
HTH!
Ludo’.
pgpQxCVni295S.pgp
Description: PGP signature
- Re: Signed archives, Nikita Karetnikov, 2014/02/03
- Re: Signed archives, Ludovic Courtès, 2014/02/04
- Re: Signed archives, Nikita Karetnikov, 2014/02/20
- Re: Signed archives,
Ludovic Courtès <=
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/27
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/27
- Re: Signed archives (preliminary patch), Mark H Weaver, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Applying the GPG web-of-trust to Guix (was Re: Signed archives), Mark H Weaver, 2014/02/21
- Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives), Ludovic Courtès, 2014/02/21