bug#33733: Irrelevant narinfo signatures are honored

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#33733: Irrelevant narinfo signatures are honored

From:	Ludovic Courtès
Subject:	bug#33733: Irrelevant narinfo signatures are honored
Date:	Fri, 14 Dec 2018 00:39:55 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Ludovic Courtès <address@hidden> skribis:

> The problem is that ‘guix substitute’ will accept such narinfos (when
> they are signed by an authorized key), even though the signature doesn’t
> cover the important parts (namely: StorePath, NarHash, and References;
> the rest is mostly informative.)  A fix is attached with tests that
> illustrate the problem.

I pushed the fix as 60b04024f8823192b74c1ed5b14f318049865ac7 and an
update of the ‘guix’ package as
7ef64ec8476e9f13262d7755aff27c97dd2cd683.

I encourage you to upgrade your daemon.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#33733: Irrelevant narinfo signatures are honored, Ludovic Courtès, 2018/12/13
- bug#33733: Irrelevant narinfo signatures are honored, Ludovic Courtès <=

Prev by Date: bug#33720: GNUTLS substitute error
Next by Date: bug#33720: GNUTLS substitute error
Previous by thread: bug#33733: Irrelevant narinfo signatures are honored
Next by thread: bug#31367: ERROR: In procedure scm-error: no code for module (guix build utils)
Index(es):
- Date
- Thread