[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Public key pinning in guix?
From: |
Maxime Devos |
Subject: |
Public key pinning in guix? |
Date: |
Fri, 07 Jan 2022 21:24:02 +0000 |
User-agent: |
Evolution 3.38.3-1 |
Hi guix-devel,
I coded up the following recently:
[start snip]
;; TODO does this check all the right fields?
(define %pinned-public-keys
'(("content.minetest.net" . #u8(188 216 200 89 188 149 240 145 93 189
114 207 239 50 157 141 57 196 11 102))
("ftp.gnu.org" . #u8(100 133 126 118 117 115 141 72 253 200 108 158
64 47 85 199 90 0 253 179 181))
("www.stackage.org" . #u8(101 7 34 114 166 42 66 55 116 60 42 253
85 30 134 236 217 108 67 119))
("hackage.haskell.org" . #u8(80 123 226 229 92 27 203 99 130 198 72
113 250 28 247 58 254 19 104 79))
("fastapi.metacpan.org" . #u8(86 7 157 232 133 127 13 58 144 86 37
162 91 239 203 138 150 84 56 67))
("cran.r-project.org" . #u8(60 80 123 29 14 43 131 116 105 126 126
58 154 231 6 150 216 158 70 213))
("web.cvs.savannah.gnu.org" . #u8(66 134 131 20 232 136 162 102 201
229 202 93 21 161 26 192 176 3 61 38))))
(use-modules (gnutls) (rnrs bytevectors))
(define old (@@ (gnutls) x509-certificate-matches-hostname?))
(set! (@@ (gnutls) x509-certificate-matches-hostname?)
(lambda (certificate domain)
(and (old certificate domain)
;; If the domain name is known to Guix, verify the public key
;; -- the CA could be corrupt or compromised!
(let ((pinned-key (assoc-ref %pinned-public-keys domain)))
(or (pk 'd domain pinned-key (not pinned-key))
(bytevector=? pinned-key (x509-certificate-key-id
certificate)))))))
[end snip]
I put it in (guix import minetest); it should probably be integrated
into (guix build download) instead.
The purpose is to resist a compromise of the CA system. More
concretely, if you now do "guix refresh -u minetest-moreores"
then a MITM that compromised a CA cannot secretly replace
minetest-moreores with a mod that mines bitcoin for the MITM,
or something.
Possibly also useful for "guix download", "guix import", "guix lint",
"guix build --with-latest=...".
A downside is that whenever content.minetest.net changes public keys,
the pinned public key in Guix needs to be updated. How often does this
happen? I wouldn't now. This could be partially automated with
a "./pre-inst-env guix update-the-pinned-keys" script, and there could
be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
hatch.
WDYT, worth the trouble or not?
signature.asc
Description: This is a digitally signed message part
- Public key pinning in guix?,
Maxime Devos <=