Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nightlies should be fetched over SSH - or are they already? #48

Closed
glyph opened this issue Jan 14, 2016 · 7 comments
Closed

nightlies should be fetched over SSH - or are they already? #48

glyph opened this issue Jan 14, 2016 · 7 comments

Comments

@glyph
Copy link

glyph commented Jan 14, 2016

http://emacsformacosx.com/about says that nightlies are built from http://git.savannah.gnu.org/cgit/emacs.git/ - the implication of the word "public" being that it is cloned over an unauthenticated transport, and so could be corrupted in transit to you by an attacker. Or do you have an SSH key registered with Savannah? Ideally, you should be cloning the repository from an SSH account (a dedicated account, not your account, with no other SSH access to anything, of course) so that you can at least verify the SSH key.

This is especially important as these binaries are codesigned; if they are built automatically and the code is retrieved via a plaintext transport, it doesn't seem there's any way to verify the code is authentic.
@caldwell
Copy link
Owner

They are fetched over http, so unauthenticated in that sense. I will see if I can get read-only ssh access to Savannah—I don't know if it's an option. It would be nice if they just offered https.

As a slight consolation, the git hash is prominently displayed, so it can be matched out of band to the real commit that was the basis for the build. Unfortunately, that git hash is served over http so it could theoretically be corrupted in transit, too (plus I only keep track of the abbreviated one :-( ). But, for a full code switcheroo attack to succeed the attacker would have to MITM both my build machine and anyone who tries to verify the git hash. This seems highly unlikely in practice.

To sum up, steps needed to be as safe as I can think of:

  1. Get nightly code over an authenticated channel.
  2. Store the git hash in a file inside the .app bundle where it will get code signed.
  3. Keep the full git hash through build process instead of abbreviating it.
  4. Serve the final .dmg over https.

4 is unlikely to happen in the short term—the site is served by a cheap shared hosting plan and I don't think they offer ssl without a significant price upgrade. Luckily, it is mitigated by the code signing.

2 and 3 are directly in my control, so I can (and will) do those.

1 may or may not happen, I will try but I can't guarantee success. Luckily, it is mitigated by 2 and 3.

@glyph
Copy link
Author

glyph commented Jan 14, 2016

They are fetched over http, so unauthenticated in that sense. I will see if I can get read-only ssh access to Savannah—I don't know if it's an option.

Allegedly it is. I have a Savannah account and I added my SSH public keys though, and the documented SSH endpoint just doesn't work. My ticket is here, so you can get updates there.

It would be nice if they just offered https.

... Yes. Yes it would.. It's really annoying that they have HTTPS for the website but not for the VCS.

As a slight consolation, the git hash is prominently displayed, so it can be matched out of band to the real commit that was the basis for the build. Unfortunately, that git hash is served over http so it could theoretically be corrupted in transit, too (plus I only keep track of the abbreviated one :-( ). But, for a full code switcheroo attack to succeed the attacker would have to MITM both my build machine and anyone who tries to verify the git hash. This seems highly unlikely in practice.

SHA-1 is basically broken at this point (see: CAs deprecating it aggressively) so I think this is of limited utility. This is why Git has signed commits as a separate feature. Still, it would be a nice indicator of provenance and at least a medium-strength demonstration of the "chain of evidence" from the VCS to you, as it were.

4 is unlikely to happen in the short term—the site is served by a cheap shared hosting plan and I don't think they offer ssl without a significant price upgrade. Luckily, it is mitigated by the code signing.

Let's Encrypt is in public beta which effectively makes real certs free and automatic. I'm happy to do the work of setting this up for you, if you'd like; I even have some infrastructure I could host it on if you just want to point the DNS towards me.

caldwell added a commit that referenced this issue Jan 18, 2016
@caldwell
[combine-and-package] Parse git rev out of nightly versions and add i…
26b0493 
…t to Info.plist

This allows some amount of verification that the downloaded binary is
built from untampered sources.

See #48
@caldwell
Copy link
Owner

The patch I just pushed addresses #2 on the list. #3 has been applied to the Jenkins build script (not under SCM). I emailed the Emacs maintainer about #1 and am waiting on a reply. I'll close this out when I hear back definitively from him.

@glyph
Copy link
Author

glyph commented Jan 18, 2016

If the Emacs maintainers are unhelpful in that regard, #1 might be at least partially accomplished by fetching from https://github.com/emacs-mirror/emacs instead; at least that way you're retrieving the code over an authenticated channel.

@caldwell
Copy link
Owner

A quick update: emacsformacosx.com is now https. That takes care of #4.

@glyph
Copy link
Author

glyph commented Mar 25, 2016

Thanks!

@caldwell
Copy link
Owner

caldwell commented Apr 5, 2022

Nightlies are now coming from https://git.savannah.gnu.org/git/emacs.git

@caldwell caldwell closed this as completed Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caldwell @glyph