GNU bug report logs -
#34125
Installation script needs to be secured with a gpg signature
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 34125 in the body.
You can then email your comments to 34125 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#34125; Package
guix.
(Fri, 18 Jan 2019 15:24:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 18 Jan 2019 15:24:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I was looking at the installation video from Laura (not yet public) and
wondered about that:
We just download the installation script:
$ wget https://.../guix-install.sh
Then we go on directly executing that script.
Shouldn't that be save-garded by a PGP-signature too?
Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.
WDYT?
Björn
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34125; Package
guix.
(Tue, 22 Jan 2019 07:19:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 34125 <at> debbugs.gnu.org (full text, mbox):
Hi Björn,
> I was looking at the installation video from Laura (not yet public) and
> wondered about that:
>
> We just download the installation script:
>
> $ wget https://.../guix-install.sh
>
> Then we go on directly executing that script.
>
> Shouldn't that be save-garded by a PGP-signature too?
I don’t know.
> Because if it is not, the user could be tricked into a script that
> downloads a "bad" Guix installation tarball.
To avoid having the user tricked we use HTTPS. At least the users will
know that this file comes from the official project website.
A user who is tricked into downloading a script from a malicious site
could just as well download a matching signature from somewhere else, so
the script body itself should be signed. We can’t sign the whole file
because the first line must be the shebang — unless we forgo the shebang
and the “chmod +x” instruction and ask people to execute it with “sudo
bash guix-install.sh”. “gpg --clear-sign” adds a block of text before
and after the file, which would be a syntax error in a shell script.
We are probably stuck with having a separate signature file. I don’t
know if it’s worth doing when HTTPS is used to fetch the script from an
authoritative source.
> That's what we are always
> criticising about others wget-scripts that install whatever to the user.
The criticism is aimed at “curl | sudo bash” instructions that execute
scripts off the Internet without prior inspection as root.
--
Ricardo
Reply sent
to
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>:
You have taken responsibility.
(Fri, 25 Jan 2019 21:26:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>:
bug acknowledged by developer.
(Fri, 25 Jan 2019 21:26:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 34125-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, 22 Jan 2019 08:18:09 +0100
Ricardo Wurmus <rekado <at> elephly.net> wrote:
> Hi Björn,
>
> > I was looking at the installation video from Laura (not yet public)
> > and wondered about that:
> >
> > We just download the installation script:
> >
> > $ wget https://.../guix-install.sh
> >
> > Then we go on directly executing that script.
> >
> > Shouldn't that be save-garded by a PGP-signature too?
>
> I don’t know.
>
> > Because if it is not, the user could be tricked into a script that
> > downloads a "bad" Guix installation tarball.
>
> To avoid having the user tricked we use HTTPS. At least the users
> will know that this file comes from the official project website.
>
> A user who is tricked into downloading a script from a malicious site
> could just as well download a matching signature from somewhere else,
> so the script body itself should be signed. We can’t sign the whole
> file because the first line must be the shebang — unless we forgo the
> shebang and the “chmod +x” instruction and ask people to execute it
> with “sudo bash guix-install.sh”. “gpg --clear-sign” adds a block of
> text before and after the file, which would be a syntax error in a
> shell script.
>
> We are probably stuck with having a separate signature file. I don’t
> know if it’s worth doing when HTTPS is used to fetch the script from
> an authoritative source.
>
OK, agreed. Let's close this.
Björn
[Message part 2 (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 23 Feb 2019 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 57 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.