[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authenticating binary substitutes

From: Ludovic Courtès
Subject: Re: Authenticating binary substitutes
Date: Wed, 22 May 2013 23:48:12 +0200
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

Eelco Dolstra <address@hidden> skribis:

> On 22/05/13 16:16, Ludovic Courtès wrote:
>> I think it’s enough to sign nars.  What do you think it would add to
>> sign narinfos as well?
> I think it's enough to sign the narinfo, since it contains the hash of the NAR
> (which Nix already verifies).


> Also, rather than having a separate .sig file, the signature could be stored 
> in
> the narinfo file itself.  That would halve the number of HTTP requests.

Well, the .sig only needs to be downloaded when the user actually
substitutes something; this is not a situation where it would really
make a difference.

Also, how would the signature be formatted, then?

> On 22/05/13 15:19, Lluís Batlle i Rossell wrote:
>>> How about: rather than relying on nix-cache-info, nix.conf should specify a 
>>> list
>>> of fingerprints of trusted OpenPGP signing keys.  Then when we fetch a 
>>> .narinfo,
>>> we check whether it is signed by a trusted key.  This way you don't have the
>>> problem Lluís described.
>> Well, if we use gpg, gpg has its own system of trust, too. Or it's about not
>> using gpg?
> Now that you mention it, it would probably be better to use OpenSSL than 
> GnuPG,
> given that we already have a (optional) dependency on OpenSSL, while GnuPG 
> would
> be a fairly big new dependency.

I was mentioning OpenPGP (the spec), not GnuPG (an implementation).

What format and model do you have in mind?

The ideal may be SPKI/SDSI here, but OpenPGP is what people are used to,
and it’s readily available.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]