[Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?
Matthias Beyer
mail at beyermatthias.de
Wed Mar 9 15:58:30 CET 2016
Hi,
I have a question. When calling `nix-store --verify-path /nix/store/something`,
it verifies that the contents of the store path haven't been altered by an
attacker or some other corruption like bitflips or something, am I right?
It does so by comparing the hashsum of the directory contents with a hash sum
stored in some database, am I right?
How to know that the database isn't corrupt?
Following scenario:
An attacker altered the libc of my system. The attacker knows how nix works
and alters the hash stored in the database as well.
Calling `nix-store --verify-path /nix/store/somehash-libc-something` exits
without error now, as the hashes still match.
Or am I getting something wrong here?
--
Mit freundlichen Grüßen,
Kind regards,
Matthias Beyer
Proudly sent with mutt.
Happily signed with gnupg.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160309/86a74967/attachment.bin
More information about the nix-dev
mailing list