(Re-adding bug-guix@.) Eelco Dolstra <[email protected]> skribis:
> On 22/05/13 11:12, Ludovic Courtès wrote: > >> Currently the “binary cache” substituter relies on DNS to authenticate >> downloaded binaries: anything coming from, say, hydra.nixos.org is >> considered authentic, because hydra.nixos.org is listed in the >> ‘trusted-binary-cache’ list. >> >> This is obviously subject to person-in-the-middle attacks: one could >> connect over Wifi to somebody else’s network, which happens to redirect >> hydra.nixos.org to evil.example.com, and end up downloading evil binaries. > > There is an issue about this: > > https://github.com/NixOS/nix/issues/75 Ah, good. >> I was thinking of a simple extension to solve that: >> >> 1a. The /nix-cache-info file would contain an (optional) >> ‘OpenPGPFingerprint’ field, to announce the fingerprint of the >> OpenPGP key used to sign Nars. >> >> 1b. In addition to, or alternatively, a /nix-signing-key file would be >> served, containing the OpenPGP key used to sign Nars. >> >> 2. In addition to serving, say, >> /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1, the server would >> also serve /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1.sig, an >> OpenPGP binary signature of the uncompressed Nar. > > How about: rather than relying on nix-cache-info, nix.conf should specify a > list > of fingerprints of trusted OpenPGP signing keys. Yes (I was focusing on the protocol, to start with.) > Then when we fetch a .narinfo, we check whether it is signed by a > trusted key. This way you don't have the problem Lluís described. I think it’s enough to sign nars. What do you think it would add to sign narinfos as well? Thanks, Ludo’.
