New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore references when importing signatures #10101
base: master
Are you sure you want to change the base?
Ignore references when importing signatures #10101
Conversation
4cdda68
to
cef8b0b
Compare
Uh, I don't think we should do that, the references are part of the identity of the path (and of the signature). What's the context that makes you want that? |
cef8b0b
to
923e79d
Compare
This way systems sharing signatures no longer need to exchange (or hold on to) the size or references. They should not matter: the signature is based on the fingerprint which contains the narSize and references. Mathematically speaking there could be collisions, but that would essentially mean sha256/ed25519 is broken, in which case we're in trouble anyway?
923e79d
to
c62e785
Compare
Thanks for the early feedback - I was going to think about this more and add more context before un-"Draft"-ing the PR :) The context is that we're prototyping some hash collection infrastructure (https://github.com/JulienMalka/nix-hash-collection). We'd want those attestations to be signed, and it seems neat to sign them in the same way the Nix store signs them. A logical next step might be allow importing such shared trusted signatures into your nix store. Currently, however, that would mean also recording the Indeed the |
Oh, I see, thanks for the explanation. These checks don't add anything in terms of security (they run client-side any way, it's easy to bypass them), I think they are more a matter of user friendliness than anything. Fail early if you do something stupid. And just to clarify:
(it doesn't matter in this context, but) references are sensitive since they affect the semantics of the path. If they weren't checked, an attacker in control of the binary cache could just send you a system closure with all the references to glibc removed, causing your machine to crash because all the software would be missing a dependency. Or it could remove a reference to an optional dependency (a plugin that's only dlopen-ed if the |
Discussed during the Nix maintainers meeting on 2024-03-04.
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2024-03-04-nix-team-meeting-minute-130/40830/1 |
Motivation
Allow sharing signatures without holding on to the reference information
Context
Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.