New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nightlies should be fetched over SSH - or are they already? #48
Comments
They are fetched over http, so unauthenticated in that sense. I will see if I can get read-only ssh access to Savannah—I don't know if it's an option. It would be nice if they just offered https. As a slight consolation, the git hash is prominently displayed, so it can be matched out of band to the real commit that was the basis for the build. Unfortunately, that git hash is served over http so it could theoretically be corrupted in transit, too (plus I only keep track of the abbreviated one :-( ). But, for a full code switcheroo attack to succeed the attacker would have to MITM both my build machine and anyone who tries to verify the git hash. This seems highly unlikely in practice. To sum up, steps needed to be as safe as I can think of:
|
Allegedly it is. I have a Savannah account and I added my SSH public keys though, and the documented SSH endpoint just doesn't work. My ticket is here, so you can get updates there.
... Yes. Yes it would.. It's really annoying that they have HTTPS for the website but not for the VCS.
SHA-1 is basically broken at this point (see: CAs deprecating it aggressively) so I think this is of limited utility. This is why Git has signed commits as a separate feature. Still, it would be a nice indicator of provenance and at least a medium-strength demonstration of the "chain of evidence" from the VCS to you, as it were.
Let's Encrypt is in public beta which effectively makes real certs free and automatic. I'm happy to do the work of setting this up for you, if you'd like; I even have some infrastructure I could host it on if you just want to point the DNS towards me. |
…t to Info.plist This allows some amount of verification that the downloaded binary is built from untampered sources. See #48
The patch I just pushed addresses |
If the Emacs maintainers are unhelpful in that regard, |
A quick update: emacsformacosx.com is now https. That takes care of |
Thanks! |
Nightlies are now coming from https://git.savannah.gnu.org/git/emacs.git |
http://emacsformacosx.com/about says that nightlies are built from http://git.savannah.gnu.org/cgit/emacs.git/ - the implication of the word "public" being that it is cloned over an unauthenticated transport, and so could be corrupted in transit to you by an attacker. Or do you have an SSH key registered with Savannah? Ideally, you should be cloning the repository from an SSH account (a dedicated account, not your account, with no other SSH access to anything, of course) so that you can at least verify the SSH key.
This is especially important as these binaries are codesigned; if they are built automatically and the code is retrieved via a plaintext transport, it doesn't seem there's any way to verify the code is authentic.
The text was updated successfully, but these errors were encountered: