Re: Signed archives (preliminary patch)

[Ludovic Courtès]

Nikita Karetnikov <address@hidden> skribis:

>> There’s an important check missing here: the code verifies that BODY* is
>> a valid signature, but it doesn’t check whether what it signs
>> corresponds to this narinfo up to but excluding the ‘Signature’ field.
>
> Oh, indeed.
>
>>   5. pass the hash to the signature verification procedure.
>
> Then, it should extract the other hash from the Signature line, compare
> the hashes, and run the rest of the checks, right?

The signature is computed over a hash of the narinfo up to the Signature
line, not included.

So the substituter must keep a string containing said lines, and compute
the hash of the UTF-8/ASCII representation of this string.

Then, for verification purposes, it must make sure that the hash found
in the signature sexp is the same as the hash computed as above.

>>> +                    ("Signature" . ,(lambda (narinfo)
>>> +                                      (let ((sig (narinfo-signature 
>>> narinfo)))
>>> +                                        (string-append
>>> +                                         (number->string 
>>> (signature-version sig))
>>> +                                         ";"
>>> +                                         (signature-key-id sig)
>>> +                                         ";"
>>> +                                         (base64-encode
>>> +                                          ;; XXX: Can we assume UTF-8 here?
>>> +                                          (string->utf8
>>> +                                           (canonical-sexp->string
>>> +                                            (signature-body sig)))))))))
>
>> It’s important to keep the original signatures intact.
>
> Not sure I follow.  Can I simply use ("Signature" . ,narinfo-signature)?
>
>> To fix this, the <narinfo> record must include an additional field to
>> contain the original narinfo string.
>
> Please elaborate.  Which string are you talking about?

The narinfo.

Suppose the signature is computed over a hash of this:

--8<---------------cut here---------------start------------->8---
StorePath: /nix/store/phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
URL: nar/phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
Compression: bzip2
NarHash: sha256:1mn4rm7gs71dsqdm1gilw3h3krgfgbjsmni9yz9dziw1jpcrk3x1
NarSize: 372720
References: 9fnjjsbarscbmakr44ixfv9yhg6z12mw-glibc-2.17 
lwc6sygaglzfk17v3w15cc2xv97fjgci-gcc-4.7.2 
phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
Deriver: ykf90hcbvn3nm9ai7ikpw992vdq6l95k-gdbm-1.10.drv
System: x86_64-linux
--8<---------------cut here---------------end--------------->8---

The following narinfo, although semantically equivalent, would fail
signature verification:

--8<---------------cut here---------------start------------->8---
NarSize:        372720
StorePath:      /nix/store/phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
References:     9fnjjsbarscbmakr44ixfv9yhg6z12mw-glibc-2.17 
lwc6sygaglzfk17v3w15cc2xv97fjgci-gcc-4.7.2 
phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
Deriver:        ykf90hcbvn3nm9ai7ikpw992vdq6l95k-gdbm-1.10.drv
System:         x86_64-linux
URL:            nar/phw82pzgl32ygpaa1z2v3l04afni7f28-gdbm-1.10
NarHash:        sha256:1mn4rm7gs71dsqdm1gilw3h3krgfgbjsmni9yz9dziw1jpcrk3x1
Compression:    bzip2
--8<---------------cut here---------------end--------------->8---

That’s why the <narinfo> must include a copy of the exact textual
representation of the narinfo that was signed.  Then, ‘write-narinfo’
must simply write out that string, unchanged (including the ‘Signature’
line.)

HTH,
Ludo’.