emacs-bug-tracker
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#34125: closed (Installation script needs to be sec


From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#34125: closed (Installation script needs to be secured with a gpg signature)
Date: Fri, 25 Jan 2019 21:26:02 +0000

Your message dated Fri, 25 Jan 2019 22:25:47 +0100
with message-id <address@hidden>
and subject line Re: bug#34125: Installation script needs to be secured with a 
gpg signature
has caused the debbugs.gnu.org bug report #34125,
regarding Installation script needs to be secured with a gpg signature
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
34125: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34125
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: Installation script needs to be secured with a gpg signature Date: Fri, 18 Jan 2019 16:23:01 +0100
I was looking at the installation video from Laura (not yet public) and
wondered about that:

We just download the installation script:

$ wget https://.../guix-install.sh

Then we go on directly executing that script.

Shouldn't that be save-garded by a PGP-signature too?

Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.

WDYT?

Björn

Attachment: pgp7b4uvg3cL8.pgp
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- Subject: Re: bug#34125: Installation script needs to be secured with a gpg signature Date: Fri, 25 Jan 2019 22:25:47 +0100
On Tue, 22 Jan 2019 08:18:09 +0100
Ricardo Wurmus <address@hidden> wrote:

> Hi Björn,
> 
> > I was looking at the installation video from Laura (not yet public)
> > and wondered about that:
> >
> > We just download the installation script:
> >
> > $ wget https://.../guix-install.sh
> >
> > Then we go on directly executing that script.
> >
> > Shouldn't that be save-garded by a PGP-signature too?  
> 
> I don’t know.
> 
> > Because if it is not, the user could be tricked into a script that
> > downloads a "bad" Guix installation tarball.  
> 
> To avoid having the user tricked we use HTTPS.  At least the users
> will know that this file comes from the official project website.
> 
> A user who is tricked into downloading a script from a malicious site
> could just as well download a matching signature from somewhere else,
> so the script body itself should be signed.  We can’t sign the whole
> file because the first line must be the shebang — unless we forgo the
> shebang and the “chmod +x” instruction and ask people to execute it
> with “sudo bash guix-install.sh”.  “gpg --clear-sign” adds a block of
> text before and after the file, which would be a syntax error in a
> shell script.
> 
> We are probably stuck with having a separate signature file.  I don’t
> know if it’s worth doing when HTTPS is used to fetch the script from
> an authoritative source.
> 

OK, agreed. Let's close this.

Björn

Attachment: pgp678GdacBUr.pgp
Description: OpenPGP digital signature


--- End Message ---

reply via email to

[Prev in Thread] Current Thread [Next in Thread]