Nikita Karetnikov <nik...@karetnikov.org> skribis: >> When downloading new tarballs, it also retrieves signatures and checks >> them with GPG, via the new (guix gnupg) module. > > Could you point me to this part of the source code? I fail to find it.
See ‘download-tarball’ in gnu-maintenance.scm. >> If the public key is missing, it attempts to get it from keys.gnupg.net, >> and tries again; in that case, the key is added to your keyring. > > I haven't tried the tool yet, but I'm suspicious. Ah, I’m glad somebody chimes in. ;-) > First, what if the mirror is malicious but the key is there? You'll > fetch a malicious tarball and a malicious key. Objects aren’t malicious. Perhaps you’re talking about situations where a mirror provides a tarball along with a valid signature, but said signature is made with a random key, and the tarball is actually not genuine, right? First, note that ‘download-tarball’ fetches from ftp.gnu.org directly (or ftp.gnupg.org, etc.), not from mirrors. Second, this is the same model as used by the OpenSSH client. When the client is first introduced to a host, it presents you its key fingerprint, you type ‘y’, and that key gets added to your known hosts file. From there on, person-in-the-middle attacks are trivially detected as a key mismatch. With this approach, introduction is the weak link. It is mitigated by the fact that, for instance, I’ve already imported and signed keys of several GNU maintainers, and by common sense (manually checking the signatures on a key, the tarball contents, etc.) Also, keep in mind that ‘guix refresh’ is primarily a maintainer’s tool. It’s exactly what I would do manually. What about you? > Is it possible to use three mirrors to check keys and tarballs? Check against what? What do you want to address? > I also think that one must always check keys manually (using similar > pages [1]). Maybe we should manually add fingerprints to a > licenses.scm-like file and use it along with keys.gnupg.net. It sounds > tedious, but it'll be necessary only when you package something for the > first time. What do you think? There’s the ftp.gnu.org/gnu/gnu-keyring.gpg file, which contains all the keys ever allowed to sign GNU uploads. But that file is itself currently unsigned. Ideally (I think) that file would be signed, and the Guix repo would contain the master key used to sign gnu-keyring.gpg. From there, it could fetch that keyring and authenticate it anytime, which in turn could be used to authenticate GNU source tarballs, as needed for the on-line auto-updater (see <http://lists.gnu.org/archive/html/bug-guix/2013-03/msg00032.html>.) This is similar to Debian’s approach, AIUI. I’ve made this suggestion to one of the FSF sysadmins, but it seems to need further discussion, and probably input from crypto-savvy people. > It also bugs me that there are a lot of packages which are not signed at > all. I guess I'll start to ask maintainers to add signatures (at least > for the future versions). I hope you'll do the same. All the packages on gnu{,pg}.org are signed. I think very few GNU packages are unsigned. For non-GNU packages, the situation is not as good, and I agree we must spread the word, but that won’t change overnight. > Second, is there a way not to pollute my keyring with such keys or at > least mark them somehow (for example, as not trusted)? They are marked as such by default. Problem is, I want to use my default keyring because it already contains many keys that I signed. So I don’t see how to accommodate both needs. Thanks for sharing your thoughts and concerns! Ludo’.
