[Nix-dev] Malicious installation methods
Bardur Arantsson
spam at scientician.net
Sat Jun 18 23:46:00 CEST 2016
On 06/18/2016 11:18 PM, Profpatsch wrote:
>
> The script approach is not very bad. Maybe sign it with gpg for people
> who want to verify it.
>
Have you been following along on the thread at all? Signing the
installer script does very little[1] unless the bits it fetches are
themselves also signed (GPG style) and verified by the script.
Regards,
[1] Alright, it's better than nothing. In fact, quite a lot better than
nothing, but what you really want is signing of everything in the trust
chain. A *possible* way around this would be if the installer script
were to have embedded/hardcoded (crypto-secure) hashes and would fetche
things only via URLs containing those hashes. That'd at least be
*something*.
More information about the nix-dev
mailing list