[Nix-dev] Signing source packages

Daniel Shahaf d.s at daniel.shahaf.name
Mon Feb 2 16:45:31 CET 2015 

[ tl;dr: NixOS should sign any code that makes it into users' systems. ]

I've been looking at NixOS to see I could use it in my workflow.

In my understanding, when a NixOS user installs a package, he has to
trust: (1) the nixos.org binary cache; (2) the nixos.org channel
descriptor; (3) github, from whence the channel descriptor is built;
(4) the nixpkgs committer who pushed a particular changeset to github.
Here, "trust" means that a compromise of any of those entities could
lead to malicious packages being installed on the user's sytem.

(I'm not insinuating that any of those entities are malicious; I'm only
pointing out that a black hat needs to crack only one of them in order
to get his code on users' systems.  A chain is as strong as its weakest
link.)

It would be desirable to reduce the number of entities that a user needs
to trust.  The standard way to do this is to use PGP signing for
end-to-end verification: whoever generates the thing (source or binary
package) being signed still must be trusted, but intermediaries need not
be.  Signatures are also preferable to checksums, since users not
connected to the web of trust can still confirm that a new version of
a package was signed by the same entity who signed the incumbent
version.

I would therefore suggest that NixOS starts signing any code that gets
installed on users' machines, and that Nix should, by default, verify
signature against a set of trusted keys and refuse to install packages
that fail to verify.  By comparison, most distros sign everything, from
.iso images onwards.

Part of this has been implemented: verification of binary packages has
been implemented last year [1], however, it is off by default.  (Thanks
to Lethalman on IRC for this information.)

I'm suggesting that as an interested potential user; I don't run NixOS
at the moment.  (And not having signed packages makes it harder for me
to choose it over alternatives.)

Cheers,

Daniel

[1] https://github.com/NixOS/nix/commit/0fdf4da0e979f992db75cc17376e455ddc5a96d8

More information about the nix-dev mailing list