-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to deal with package signing? #613
Comments
That seems quite an overkill. We don't even sign the git commits (yet). You get the sources through https typically, so that's some security at least. |
For it to be useful in production (eg. for an end-user distro), this would be critical functionality, though. HTTPS only provides transport security - ie. it ensures that your connection to the distribution server is not intercepted or modified, but places its trust in the distribution server. Package signing serves a different purpose - it ensures that a package was not modified from the moment and place it was created by a maintainer, even if the distribution server is untrusted (eg. compromised). A distribution server that distributes unsigned packages would be a high-value target for a watering hole attack (whether targeted or not), as it becomes trivial to compromise a large amount of machines through the compromise of a single server. I understand that Nix might not be at that point of development yet, but it would certainly be a pre-requisite for production use outside of tightly controlled internal networks (which typically have their own distribution servers anyway). |
We hand out commit access relatively easily – if someone wanted to attack nixpkgs, it's enough to send many useful PRs, then ask for push access after a month or so and sneak in a different package hash or something... |
Right. I don't just mean nixpkgs, though - I mean having support for it in Nix as a package manager, from an implementation point of view. That's why I filed it here rather than on nixpkgs :) I'd imagine that eg. other distributions might want to use their own channels, rather than nixpkgs, with more stringent package/maintainer control. |
What's the threat model here? And what would signing a source package look like? What does it mean for a package not to be modified? Signing a package is kind of pointless if you don't also sign all the dependencies, in such a way that a change to a dependency invalidates the signature on the package. Otherwise, you can compromise a package by compromising any dependency. E.g., updating the Nix expression for GCC should invalidate the signature on the Nix expression for Firefox. But that would be pretty unworkable... |
Digital signature algorithms, such as Ed25519, can allow you to verify that the package you are receiving is authentic even if the server you got it from has been compromised. HTTPS doesn't protect data at rest, it only protects it in transit. Without digitally signing packages, you have to do the following to attack a user:
With digitally signing packages:
The idea is to protect your users from your infrastructure. It won't protect your users from you, should you turn to the dark side. |
@paragonie-scott: IMO noone was questioning those points. Also note that the transport of packages is completely secure already – binary cache packages are signed now (after being built) and verified by default (when downloaded). |
Right. I was trying to clarify the threat model a bit. |
Next step I can see is the question of trusting github and/or nixpkgs repo transport, i.e. each contributor signing his/her nixpkgs commits. That probably wouldn't be costly (by itself), but I don't feel it would bring significant security improvement (by itself). I don't feel github as a significant threat, as they have a lot to lose if betraying the trust, compared to e.g. random person with push access into nixpkgs. Heck, we don't even do any thorough security review of most PRs coming from complete strangers. (I guess I'm repeating myself, so let me stop here.) |
@vcunat It's not just about GitHub itself, though - if their systems get compromised (happens), then everybody is still at risk. Regardless, this isn't just about nixpkgs - an individual or organization (eg. a distro maintainer) may want to operate their own Nix channel with package signing, as I mentioned before. This would have to be at the very least a feature available or implementable in Nix, in some manner. |
Anyone can start signing his/her own tags into a nixpkgs tree fork (e.g. after a security review). The infrastructure is all there (git's --verify-signatures). Channels can't do that automatically AFAIK, but frankly, that's only a tiny inconvenience, and you can do the same with a few lines of scripts through git. |
As a random gentoo dude, I might say, that this feature is a must. 👍 |
I'm still struggling to understand what additional things need signing.
|
@copumpkin .nix files by itself, attached patches. All files in For example gentoo has Manifest (https://devmanual.gentoo.org/general-concepts/manifest/) file, which lists all files for package, and which should be signed with gpg. Example Manifest file for portage package manager
Some abstracts on the topic |
@diimpp how is that different from signing a git hash/channel, given that the git commit is basically the root of a Merkle tree of the things you want signed? More specifically, assuming we had per-file signatures and that git wasn't sufficient, who would be signing these files (pretty sure Eelco isn't prepared to put his stamp of approval on everything in nixpkgs) and what would you be checking when you checked them? |
@copumpkin, git signing is signing of the means, not packages itself. Technically it does the job, while packages are installed via git. For example I would create my private repo with hg and packages tree becomes untrusted. It's not about securing it right away, but building means to do so. On keys singing, here is how it's done at gentoo https://www.gentoo.org/downloads/signatures/
I'm not sure how big community and user-base of the nixos is, so maybe it's more convenient to keep it on git level, but I don't think it can be denied, that nix pm should support this feature. So I'm just a passer-by and can't offer you more insight into it, but you can check for more details at gentoo wiki. |
@diimpp but packages in Nix are installed via git, or via a frozen git tree (called a channel). So let's say we had signed git tags and signed channels. What would be missing then? Nix package definitions are source files. To draw a parallel, what would it mean to sign So the question boils down to what would such a signature mean to you? If we have git trees, they're already content-addressable and independently verifiable against a common source of truth. So if I say I'm operating off of NixOS/nixpkgs@2bcec42, I (can) know for sure that nobody's modified my package set in flight just as a fundamental property of git. With binary cache signing, I can furthermore know that @edolstra is willing to put his stamp of approval on the process that transformed that git revision into a set of binary artifacts so you don't have to recompile the world. Presumably he's willing to sign that because he carefully and securely administers the build farm and is confident in the build isolation machinery he built into Nix. The only additional layer of verification outside of private channel signatures I could imagine is something like @domenkozar as NixOS release manager saying "yes, this is indeed the set of packages I was intending to put into release 15.09", with the understanding that it's in no way a security guarantee. All such a signature would tell you is that our release is actually what he thought it was. Is that a meaningful diff in security stance? |
@copumpkin, Yes, this example was used before. It's glibc job to provide tar with signature, it's nix pm job to ensure this correct tar would be used. I don't see why it means that whole packages tree should be signed as whole. There would glibc signed package and whatever_signed package, that uses glibc. Each of them signed separately. I'm not saying, that "in repository package signing" does introduce any more security for nixos as is, That's all. :) |
I know this issue appears untouched for some time now, but as a personal user of Nix and NixOS I wanted to post that I find it frightening there is no aspect of trust throughout the lifecycle from code creation to installation. I am happy to provide knowledge and recommendations on the matter if that would be something the community is interested in pursuing. But if not then, sadly, I will leave Nix and go to Arch or Gentoo for this reason. |
@code-ape what specifically would you like signed that isn't signed today? All Nix packages built by Hydra are cryptographically signed and all Nix fixed-output derivations in the system have a sha256 that is verified by construction, and the entire system is deterministic unlike most other packaging systems. Beyond that, as I explain two messages above, other notions of signing have far more nebulous semantics. |
@copumpkin As far as I can tell this still places the Github repo as the source of trust, cryptographically. So when I decide to install an application, I ultimately am trusting Github and the repo maintainers that it is secure and the build system that the build hasn’t been tampered with. As it’s been said, it is “unlikely” that Github would be compromised, and I have no doubt the repo maintainers work very hard to ensure that PRs for nixpkgs are not a risk to users. Likewise, the build system is trusted for turning those into binaries / packages. However, this means a blanket level of trust is assumed. My biggest concern is that, as far as I can tell, is backs the system into a corner if any of these are compromised? This leads to questions like:
I know this may sound extreme to some, but some users and organizations need satisfying answers to these questions so to ensure security. I don’t have all the answer, and don’t even expect there to be immediate answers to their questions (trust in security is difficult). EDIT: As a final thought, if builds are deterministic, then perhaps a system could be created where a signed hash of the build it added to packages. Fully placing trust between the code publisher and user while meaning any tampering would break this trust. |
Hello, new nix (atop debian) user here. I'd also like to know that software I install with nix is covered by a sensible signature scheme. The sensible scheme I'd like to see is that every channel update (or revision) is signed and the local configuration for Sometimes I find discussions about package signing get muddled about "who is trusted" and "preventing compromise". I think it helps to flip things around and imagine that a backdoor is discovered that impacts one or more nix users. Those users or other investigators need to know how the backdoor was inserted. If channels were updated over http with no signatures, the answer is very broad. If channels are updated over https and come from github using git, with no signatures, the answer is still quite broad: anyone who compromised any of many numerous Certificate Authorities (not uncommon), OR anyone who compromised github, OR anyone who was able to push to the git repo, OR any of the downstream source code producers that fed into the nix package definitions. If we require channels to be signed, the answer becomes more narrow and we can now exclude all Certificate Authorities, github, and people with git push access who don't control the signature key. Now here's where we can improve things even more. If there are dozens of people with the authority to publish channel updates because nixpkgs is an open project with many collaborators, let's require each of those people to publish an individual key, and Two issues I don't have a proposal for yet because I don't understand nix well enough:
|
You need CA + routing compromise (quite feasible, but a bit harder). Also, in the current model everyone assumes that everything on Given that the project bottleneck is pull request reviewing, and it is sometimes faster to do on GitHub (line comments, for example)… oops. Also, Hydra compromise — or a generic AWS compromise, as Hydra uses AWS instances — is near-certain gameover, because you will succeed to inject code to a nontrivial fraction of committers' machines. Whatever you do with binary output authentication, until you have bit-perfect builds (we don't yet) and verify everything on builders with different control… |
Closing, see also NixOS/rfcs#34. |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/any-interest-in-checkings-signatures-while-building-packages/8918/1 |
I just read #75, which seems to suggest that binary cache 'packages' can be signed... however, this does not seem to cover packages that are installed from source. The Nix packages do seem to have hashes of external downloads, but those wouldn't be useful for verification unless the .nix file itself were signed somehow.
How would one publish a Nix expression(?) that can be cryptographically verified to be unmodified?
The text was updated successfully, but these errors were encountered: