[Nix-dev] Malicious installation methods

Yui Hirasawa yui at cock.li
Sun Jun 19 14:47:43 CEST 2016 

>> If you sign the script and it contains say sha512sums for the things it
>> pulls you don't have to sign them separately. It's similiar to how many
>> distributions only distribute one file with all the sums that is signed.
>
> I don't think there's no easy way for the user to verify  such sums, as
> they would be over large file trees. (Nix would do that but at this
> point they don't have/trust it yet.)

The user doesn't verify those sums or signatures, the installation
script does. The user only has to verify the installation script.

> Perhaps if we built one big self-extracting script and signed it... if
> you'd like to implement that ;-)


This is waht the script currently does:

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2"
    curl -L "$url" | bzcat | tar x -C "$unpack" || oops "failed to unpack \`$url'"

What it could do instead is:

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2"
    sig="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2.sig"

    wget $url $sig || oops "download failed"
    gpg --verify "nix-1.11.2-$system.tar.bz2" "nix-1.11.2-$system.tar.bz2.sig" || oops "verification failed"
    tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2"" || oops "unpacking failed"

Or you could just have the sha512sum embedded in the installation
script:

    case "$(uname -s).$(uname -m)" in
        Linux.x86_64) system=x86_64-linux
                      sum="f3934610bdc68b276a362b9079b18dd6d28221a727ec71ed3a3a11fddcee59dd2fa1ac401b3a25d668e880c04bcd4c971cf82861820b5ff678353f7e7ba1bfc41  nix-1.11.2-x86_64-linux.tar.bz2";;
        Linux.i?86) system=i686-linux
                    sum="fa52b31a63603be5370c2a25ca9b192fbb8f50038904a9a4d590a6abefdb3b46c362d1f49dbee5fa09175ebdcbb84317615a3d647197da1485f5543d7ff7fc0a  nix-1.11.2-i686-linux.tar.bz2";;
        Darwin.x86_64) system=x86_64-darwin
                       sum="f0af3f2ca025fae9e026ce0ad53852d05faa0f11cf2a3be239d5dfec1a2c7f47cb9a43a17cd4c5894064fa9e99b444ab80b9ca0659011a21dc79269758c631ef6  nix-1.11.2-x86_64-darwin.tar.bz2";;
        *) oops "sorry, there is no binary distribution of Nix for your platform";;
    esac

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2"

    wget $url $sig || oops "download failed"

    [ "$(sha512sum nix-1.11.2-$system.tar.bz2)" = "$sum" ] || oops "verification failed"

    tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2" || oops "unpacking failed"

Of course the gpg signature would be better because people can verify
that manually as well, instead of having to verify the installation
script and to verify the tarballs by proxy.

More information about the nix-dev mailing list