Re: Securing the software distribution chain

[Ludovic Courtès]

Hi!

Justus Winter <teythoon@avior.uberspace.de> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> The idea of storing cryptographic metadata directly in <origin> has been
>> discussed a few times:
>>
>>   https://lists.gnu.org/archive/html/help-guix/2016-08/msg00132.html
>>   https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>>   
>> https://git.savannah.gnu.org/cgit/guix.git/tree/TODO?id=6b8875c838d637773813899b35a9b5ea4acfd146#n29
>>
>> To me, the biggest shortcoming of this approach is if this metadata is
>> primarily “ornamental”: if in practice, ‘guix build -S’ doesn’t use it
>> (and it has no reason to use it), then that metadata is likely to become
>> stale without anyone noticing.
>
> On the other hand, most packaging metadata is ornamental.  There is no
> way to tell if synopsis or description is up to date or correct.  With
> signing metadata there is a way to detect this, so I don't see how
> tracking signing metadata is worse than tracking the description.

[...]

>> Of course we could have additional tools to make use of that info, say
>> ‘guix build -S --authenticate’ or something.  But that would still be
>> optional.
>
> Don't make it optional!  Empower and encourage us downstream users to
> verify upstream signatures and verify that the packager is honest, like
> you empower us to build software and verify that the substitution
> builder is honest.

Fundamentally, users trust packagers: they run their code.  Yet,
making it easier for users to audit the work of packagers sounds like a
good idea.  I agree with the philosophy.

I guess I poorly explained myself.  To put it differently, there is no
obvious place where signature verification fits here: the model is that
Guix code itself is authentic, and thus all that matters is ensuring
that we get the right content (checking the hash of origins).  Signature
metadata is “silent” in that model.

We can introduce signature verification in (guix download): every time
code is downloaded and signature metadata is available, we verify its
signature.  Unfortunately, I’m afraid this is likely to lead to lots of
false positives, and in particular failure to retrieve the OpenPGP key.

WDYT?  Where would you integrate that?

>>> Thinking a bit more about having a hashsum as part of the packaging
>>> definition, it seems to me that this is a bit of a modelling error.
>>> Because there is no standardized way of authenticating a source
>>> distribution, Guix defers this step to the packager.  And if there is no
>>> way to authenticate an artifact (because upstream doesn't provide
>>> signatures), we at least get TOFU, i.e. the assurance that any user
>>> gets the same artifact as the packager.
>>>
>>> This doesn't seem terribly problematic, but it doesn't support parts of
>>> the artifact changing, because in this model, this cannot be
>>> distinguished from an attack.  Is there a way an artifact may change in
>>> a valid way that Guix (and other distributions) may want to support?
>>
>> What do you mean?  If, for example, a tarball is modified in-place
>> upstream, it’s an error from Guix’ viewpoint.
>
> I mean that the tarball inside the OpenPGP message stays the same, but
> we attach more signatures to the OpenPGP message over time.

I see.  We’ve only encountered detached signatures so far.

>>> We believe there is.  We propose to solve the problem of locating the
>>> signatures by bundling them with the source distribution.  Instead of
>>> using a detached PGP signature, we want to distribute the source as a
>>> signed PGP message.
>>>
>>> Now, if you compute a hashsum over such an artifact, you are in effect
>>> notarizing the signatures in the message and the message payload.  If
>>> the developers add a signature to the message, the hashsum changes and
>>> your notarization breaks.
>>>
>>> The preferred way to support this is to not verify that the hashsum over
>>> the artifact matches, but to verify the PGP signatures over the payload
>>> using the set of eligible signing keys in the package metadata.
>>
>> In practice, we don’t get to choose the authentication method.  You’re
>> proposing a different authentication method here, but we’re just
>> downstream: you’ll have to convince upstreams first.  :-)
>
> Well, I'm a upstream, and this is your heads up that you are not
> prepared to deal with our source distribution scheme of choice.  And,
> we're hoping to convince other projects to use our scheme as well.
>
> We've been talking about this problem internally, and we have concluded
> that it is useful to be able to pin the source tarball to an exact
> version as you do now.  That is possible with our scheme by hashing only
> the literal data of the signed OpenPGP message.  That requires some
> OpenPGP parsing, but guix/openpgp.scm should support that.

(We = Sequoia-PGP, right?)

It should be possible to use to support this scheme by implementing a
new method for origins.  We would still require the origin hash to be
that of the extracted directory or tarball, which appropriate tooling
could simplify.

Thanks,
Ludo’.