Andreas Enge <andr...@enge.fr> writes:

> Hello,
>
> Am Wed, Mar 29, 2023 at 01:49:23AM +0530 schrieb Vijaya Anand:
>> In the case of accessing Guix substitutes from p2p
>> network, we ensure authorization by Guix team by making sure the urn of the
>> substitute is the urn mentioned in the narinfo
>
> no, currently substitutes are authenticated by a digital signature with one
> of the substitute servers (the user has control over which signing keys are
> accepted, see /etc/guix/acl). It happens after the download.
>

Slight ellaboration:

Currently the official Guix substitute servers provide a signed Narinfo
that contains the SHA256 sum of the substitute. The SHA256 sum of a
downloaded substitute is checked to match what is in the signed
Narinfo.

With the ERIS patches (https://issues.guix.gnu.org/52555) the signed
Narinfo also contains the ERIS URN. When getting a substitute this
signed ERIS URN is used. Decoding content from an ERIS URN guarantees
integrity, thus we also have authenticity.

Nevertheless, we still compute the SHA256 sum and check it. This is not
really necessary for ensuring authenticity but, imho, good practice for
now to be really sure we only use authenticated substitutes. Especially
when developing transparent fallback mechanisms that might go back to
just downloading the entire substitute from HTTP.

-pukkamustard

Reply via email to