[Nix-dev] Signed git

S3 scubed2 at gmail.com
Fri Feb 26 17:05:52 CET 2016


> The binary caches are signed by the build farm, i.e. the mapping from
> expressions to binaries is "safe". That's probably the only signing ATM.
> For transporting nix expressions we offer https.
> 
> Disclaimer: I'm no security expert. And I dislike giving a false feeling
> of security.
> 
> Note that we have >70 people with push access to nixpkgs. Those are
> random people who contributed larger parts of useful stuff. Even if we
> did sign by a single key that you presumably trust, that person really
> wouldn't be able to guarantee that the contents hasn't been tampered with.
> 
> Getting everyone sign their commits would give us accountability in case
> some of us did something malicious (or github). Would that be a
> significant improvement? I'm not certain, but we might do it as the next
> step.

With signing, you would know that at least it is one of those 70 people.
Otherwise, it could be any intermediary not even related to the project.
If the original installation is tampered with, it would be very
difficult to know if anything after that point was correct.

> You can only point to something if you can sign that pointer. Just telling
> me a narinfo without any more information (that is, signing that) puts us
> back to square one.

https://github.com/NixOS/nix/issues/75

Ah, that's interesting.
I didn't know narinfos were signed.
But, that's still not quite sufficient.
git gives you the nix expression.
The nix expression builds the packages.
If it can get the cached version,
it can verify the signature, so at least
it would know the package was good in that case.
But, if it can't, then it builds the package itself.
It is building using instructions that
aren't verified.  So, it could be building
a tampered binary, since the instructions
to build it were tampered with.

If the git tags were signed, then you would
know that the instructions were good,
and would have reason to think that what
you built from it was also correct.

-- 
$_="sccc,gB1,a_oo,JosBackuSa,g11,ug1a,oscc,cBBg,JcgaBuucaB_s11_Juc_c";
while(($c,$b,$a)=m/^(.)([^,]*),(.*)$/){$_=$a;s/$c/$b/g;}
print map chr length,split /_/;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160226/b53757e4/attachment.bin 


More information about the nix-dev mailing list