[Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

Roger Qiu roger.qiu at matrix.ai
Wed Mar 9 16:02:24 CET 2016


The database you're referring to is the nixpkgs repository/channel right?
On 10/03/2016 1:59 AM, "Matthias Beyer" <mail at beyermatthias.de> wrote:

> Hi,
>
> I have a question. When calling `nix-store --verify-path
> /nix/store/something`,
> it verifies that the contents of the store path haven't been altered by an
> attacker or some other corruption like bitflips or something, am I right?
>
> It does so by comparing the hashsum of the directory contents with a hash
> sum
> stored in some database, am I right?
>
> How to know that the database isn't corrupt?
>
> Following scenario:
>
>     An attacker altered the libc of my system. The attacker knows how nix
> works
>     and alters the hash stored in the database as well.
>     Calling `nix-store --verify-path /nix/store/somehash-libc-something`
> exits
>     without error now, as the hashes still match.
>
> Or am I getting something wrong here?
>
> --
> Mit freundlichen Grüßen,
> Kind regards,
> Matthias Beyer
>
> Proudly sent with mutt.
> Happily signed with gnupg.
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160310/2f3aefaa/attachment.html 


More information about the nix-dev mailing list