Feature request: system.autoUpgrade Git signature verification.

[voronind-com]

NixOS is already committed to using Git, and signature (GPG/PGP/SSH) verification is one of the features of Git. Simplest case: when an attacker gets access to the repository, he can push malicious changes to all the hosts that have autoupgrade enabled.

Currently system.autoUpgrade does not implement signature verification option. Right now I use a simple custom systemd service that performs checks before switching:

pushd /tmp
rm -rf ./nixos
${lib.getExe pkgs.git} clone --depth=1 --single-branch --branch=main ${const.url} ./nixos
pushd ./nixos
${lib.getExe pkgs.git} verify-commit HEAD || { # <- Verification happens here.
	echo "Verification failed."
	exit 1
};
${lib.getExe pkgs.gnumake} switch

In the example above I already have a git configured system-wide to use my public key for verification. As a possibility, new option should allow specifying and checking public key instead of relying on system-wide configuration.

This allows to block any unsigned automatic changes to the hosts. In the worst case of losing the key it is still possible to access the host by other means to run a switch manually.

Feel free to ask me any questions.

---

Add a 👍 reaction to issues you find important.