[Nix-dev] Authenticating binary substitutes
Lluís Batlle i Rossell
viric at viric.name
Wed May 22 17:42:12 CEST 2013
On Wed, May 22, 2013 at 05:12:20PM +0200, Ludovic Courtès wrote:
> Hello,
>
> Currently the “binary cache” substituter relies on DNS to authenticate
> downloaded binaries: anything coming from, say, hydra.nixos.org is
> considered authentic, because hydra.nixos.org is listed in the
> ‘trusted-binary-cache’ list.
>
> This is obviously subject to person-in-the-middle attacks: one could
> connect over Wifi to somebody else’s network, which happens to redirect
> hydra.nixos.org to evil.example.com, and end up downloading evil binaries.
>
> I was thinking of a simple extension to solve that:
>
> 1a. The /nix-cache-info file would contain an (optional)
> ‘OpenPGPFingerprint’ field, to announce the fingerprint of the
> OpenPGP key used to sign Nars.
>
> 1b. In addition to, or alternatively, a /nix-signing-key file would be
> served, containing the OpenPGP key used to sign Nars.
>
> 2. In addition to serving, say,
> /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1, the server would
> also serve /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1.sig, an
> OpenPGP binary signature of the uncompressed Nar.
>
> WDYT? Could this be implemented in Hydra?
I add myself to the request.
The /nix-cache-info or /nix-signing-key files should be requested
only once and stored in the local system, unless the user deletes them. If they
are fetched at every run, we are doomed again.
More information about the nix-dev
mailing list