[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Authenticating binary substitutes
From: |
Ludovic Courtès |
Subject: |
Re: Authenticating binary substitutes |
Date: |
Wed, 22 May 2013 23:48:12 +0200 |
User-agent: |
Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) |
Eelco Dolstra <address@hidden> skribis:
> On 22/05/13 16:16, Ludovic Courtès wrote:
>
>> I think it’s enough to sign nars. What do you think it would add to
>> sign narinfos as well?
>
> I think it's enough to sign the narinfo, since it contains the hash of the NAR
> (which Nix already verifies).
Right.
> Also, rather than having a separate .sig file, the signature could be stored
> in
> the narinfo file itself. That would halve the number of HTTP requests.
Well, the .sig only needs to be downloaded when the user actually
substitutes something; this is not a situation where it would really
make a difference.
Also, how would the signature be formatted, then?
> On 22/05/13 15:19, Lluís Batlle i Rossell wrote:
>
>>> How about: rather than relying on nix-cache-info, nix.conf should specify a
>>> list
>>> of fingerprints of trusted OpenPGP signing keys. Then when we fetch a
>>> .narinfo,
>>> we check whether it is signed by a trusted key. This way you don't have the
>>> problem Lluís described.
>>
>> Well, if we use gpg, gpg has its own system of trust, too. Or it's about not
>> using gpg?
>
> Now that you mention it, it would probably be better to use OpenSSL than
> GnuPG,
> given that we already have a (optional) dependency on OpenSSL, while GnuPG
> would
> be a fairly big new dependency.
I was mentioning OpenPGP (the spec), not GnuPG (an implementation).
What format and model do you have in mind?
The ideal may be SPKI/SDSI here, but OpenPGP is what people are used to,
and it’s readily available.
Ludo’.