Andreas Enge <andr...@enge.fr> writes:
> Hello, > > Am Wed, Mar 29, 2023 at 01:49:23AM +0530 schrieb Vijaya Anand: >> In the case of accessing Guix substitutes from p2p >> network, we ensure authorization by Guix team by making sure the urn of the >> substitute is the urn mentioned in the narinfo > > no, currently substitutes are authenticated by a digital signature with one > of the substitute servers (the user has control over which signing keys are > accepted, see /etc/guix/acl). It happens after the download. > Slight ellaboration: Currently the official Guix substitute servers provide a signed Narinfo that contains the SHA256 sum of the substitute. The SHA256 sum of a downloaded substitute is checked to match what is in the signed Narinfo. With the ERIS patches (https://issues.guix.gnu.org/52555) the signed Narinfo also contains the ERIS URN. When getting a substitute this signed ERIS URN is used. Decoding content from an ERIS URN guarantees integrity, thus we also have authenticity. Nevertheless, we still compute the SHA256 sum and check it. This is not really necessary for ensuring authenticity but, imho, good practice for now to be really sure we only use authenticated substitutes. Especially when developing transparent fallback mechanisms that might go back to just downloading the entire substitute from HTTP. -pukkamustard