[security] Substitutes fetched from server with no authorized key

  • Done
  • quality assurance status badge
Details
3 participants
  • Julien Lepiller
  • Ludovic Courtès
  • Pierre Neidhardt
Owner
unassigned
Submitted by
Pierre Neidhardt
Severity
normal

Debbugs page

P
P
Pierre Neidhardt wrote on 17 Jun 2020 00:37
(address . bug-guix@gnu.org)
87k106nnwg.fsf@ambrevar.xyz
I could be doing something wrong, but...

1. Alice starts `guix publich -u ambrevar`.
2. Bob, who did _not_ authorize Alice's signing key:
- herd stop guix-daemon
- guix-daemon --build-users-grouop=guixbuild --substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
- guix build curl

Result:

Toggle snippet (3 lines)
downloading from http://10.0.0.4:8080/nar/gzip/...

Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.

Am I missing something or there is something really wrong?

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7pyD8ACgkQm9z0l6S7
zH8Cugf+IAlsX15YU7gqZcJny2L/3pUVxVrFgJe1tCZ7jWEdOZow+uGVSqUujYZ+
Exv4KMc4051Qp5twDXELUpPcT0pmx6jRFd8XHGNg5r9JFIIbeH+XaA/XFc9NPcIL
WWo/1vQbrTqfnx6mmlKIVGZu2kAHGqtnWJFcbGRGerVLJG2L7mFfsS7qz/UIyACv
z5IkNAO0NOsN/QoN5vvgy+fwxfQZZY17WV3nug0dheD1R5+4arZJ3IAQpbuq3uvp
rENfOd47/bOvCMVYgLKvAUXRHRcP6Kib05YrLH8wK29/sl65rnsAZmepiYHFxar+
YxfvPzmta+dNXdqg6tNgVQ81cKCGTQ==
=sw4u
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 17 Jun 2020 04:05
DDDA1FF9-4503-4547-BF17-CFA181DDD204@lepiller.eu
Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt <mail@ambrevar.xyz> a écrit :
Toggle quote (19 lines)
>I could be doing something wrong, but...
>
>1. Alice starts `guix publich -u ambrevar`.
>2. Bob, who did _not_ authorize Alice's signing key:
> - herd stop guix-daemon
>- guix-daemon --build-users-grouop=guixbuild
>--substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
> - guix build curl
>
>Result:
>
>--8<---------------cut here---------------start------------->8---
>downloading from http://10.0.0.4:8080/nar/gzip/...
>--8<---------------cut here---------------end--------------->8---
>
>Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.
>
>Am I missing something or there is something really wrong?

There are two ways that you can get substitutes from unauthorized servers:

Substitutes for fixed-output derivations: guix lredy knows the result, so it doesn't need a signature, it checks the result (not sure this is a thing)

Substitutes that are reproducible. If you have a narinfo from an authorized build farm for a package in your local cache and alice's publish server proposes the same (name and checksum) substitute, you can download it. This is definitely a thing.

Other than that, guix should not use alice's substitutes.
P
P
Pierre Neidhardt wrote on 17 Jun 2020 04:51
87h7v929m5.fsf@ambrevar.xyz
Oh, that makes sense!
This is very smart actually!

Thanks a lot for the explanation!

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7qA9IACgkQm9z0l6S7
zH+r3AgAqRIIiJc30UJ4XNyeOMKEIAKYCBSKNdKMccCirT8HimO03X7lH3BBczNJ
EtV2id3Hx1PEf42Da0pNp6C0j99rd+qCh4Eewy00OVCNJ+SAM6IBeljE8Psiz4dt
aQPlJdOFQhtnY6Fj34SlggUE6GbejJ2+ufp6NhXGjTIrBRti7ym6HbiiIhM+aML7
OGtuUqDurMVcMp+fW1BKGQQuqjevGWBlR/HoxSJq/sMFKXTQ7AC9zaUkC5pruBp8
3r5SbLLF7tG+NWOHFVq4ZJOo2cfNoJ9Q0OJx1ObTsyCL4GvLwJHIn2qMyWtXO1Zj
wpuDUD83ismy5F8KuGKAGpSZ9hPkOQ==
=J1n6
-----END PGP SIGNATURE-----

P
P
Pierre Neidhardt wrote on 17 Jun 2020 04:52
control message for bug #41907
(address . control@debbugs.gnu.org)
87ftat29lj.fsf@ambrevar.xyz
close 41907
quit
L
L
Ludovic Courtès wrote on 19 Jun 2020 13:51
(address . control@debbugs.gnu.org)
87eeqaeq47.fsf@gnu.org
tags 41907 + notabug
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 41907@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 41907
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch