#22883 Trustable "guix pull"

Message #183 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 8 Jan 2020 13:30:15 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 08 08:30:15 2020
Received: from localhost ([127.0.0.1]:49879 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ipBPb-0006DQ-Gt
	for submit@debbugs.gnu.org; Wed, 08 Jan 2020 08:30:15 -0500
Received: from eggs.gnu.org ([209.51.188.92]:59311)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1ipBPZ-0006D8-BY
 for 22883@debbugs.gnu.org; Wed, 08 Jan 2020 08:30:13 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37901)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1ipBPT-0000aI-Sa; Wed, 08 Jan 2020 08:30:07 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49552 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1ipBPS-0008Q8-IF; Wed, 08 Jan 2020 08:30:07 -0500
From: Ludovic Courtès <ludo@gnu.org>
To: Jakub Kądziołka <kuba@kadziolka.net>
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
References: <87io14sqoa.fsf@dustycloud.org>
 <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 19 Nivôse an 228 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 08 Jan 2020 14:30:04 +0100
In-Reply-To: <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net>
 ("Jakub \=\?utf-8\?B\?S8SFZHppb8WCa2EiJ3M\=\?\= message of "Tue, 31 Dec 2019
 20:16:39 +0100")
Message-ID: <87sgkqdqjn.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello,

Jakub Kądziołka <kuba@kadziolka.net> skribis:

> Ludovic Courtès wrote:

[...]

>>    How do you ensure that you obtained a genuine copy of the repository?
>> Guix itself provides a tool to “authenticate” your checkout, but you
>> must first make sure this tool is genuine in order to “bootstrap” the
>> trust chain.  To do that, run:
>> 
>>      git verify-commit `git log --format=%H build-aux/git-authenticate.scm`
>> 
>>    The output must look something like:
>> 
>>      gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
>>      gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>>      ...
>>      gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
>>      gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>>      ...
>> 
>> ...  meaning that changes to this file are all signed with key
>> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this
>> key from a key server, if you have not done it yet).
>> 
>>    From there on, you can authenticate all the commits included in your
>> checkout by running:
>> 
>>      make authenticate
>> 
>>    The first run takes a couple of minutes, but subsequent runs are
>> faster.
>> 
>>      Note: You are advised to run ‘make authenticate’ after every ‘git
>>      pull’ invocation.  This ensures you keep receiving valid changes to
>>      the repository
>> --8<---------------cut here---------------end--------------->8---
>
> Sadly, these instructions don't work from a fresh clone. There is only
> Makefile.am and no Makefile itself, so you get
>
> $ make authenticate
> make: *** No rule to make target 'authenticate'.  Stop.

Uh, good point.

> Moreover, I don't think running 'make authenticate' after 'git pull'
> would really work -- after you pulled, git-authenticate could've been
> modified, so the verify-commit you did earlier doesn't apply anymore.

It works as long as I’m the only one modifying it (the instructions
above explicitly mention my OpenPGP key).

This is obviously suboptimal though.  In a comment in
‘contributing.texi’, I wrote:

  @c XXX: Adjust instructions when there's a known tag to start from.

That would simplify things.

> There's also the issue of trusting pre-inst-env, which is used to run
> the verification. Should that be passed to 'git log --format=%H' next to
> git-authenticate.scm? This also applies to any scripts you use to drive
> this process, like the Makefile.

Yes, this ./pre-inst-env thing and more generally the fact that we’re
potentially running just-pulled code to authenticate the code is a
problem.

We can solve it by removing ./pre-inst-env from the command in ‘make
authenticate’.  It will require people to have a recent-enough Guix
already installed (in particular with commit
f94f9d67e65975724ee5b5cbc936c0895a258685), but I think that’s
unavoidable: the assumption will be that we trust the already-installed
host tools and use them to authenticate the new code.

Thoughts?

Ludo’.

Send a report that this bug log contains spam.