From patchwork Sun Sep 18 18:53:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: M X-Patchwork-Id: 42715 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1ACFA27BBEA; Sun, 18 Sep 2022 19:54:17 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 779E627BBE9 for ; Sun, 18 Sep 2022 19:54:16 +0100 (BST) Received: from localhost ([::1]:49896 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oZzQl-0003q7-LW for patchwork@mira.cbaines.net; Sun, 18 Sep 2022 14:54:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32948) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oZzQZ-0003mW-Gt for guix-patches@gnu.org; Sun, 18 Sep 2022 14:54:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52204) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oZzQZ-0007xS-8s for guix-patches@gnu.org; Sun, 18 Sep 2022 14:54:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oZzQY-0004g5-51 for guix-patches@gnu.org; Sun, 18 Sep 2022 14:54:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 18 Sep 2022 18:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57909 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Emma Turner , 57909@debbugs.gnu.org, 57910@debbugs.gnu.org Received: via spool by 57909-submit@debbugs.gnu.org id=B57909.166352721517944 (code B ref 57909); Sun, 18 Sep 2022 18:54:02 +0000 Received: (at 57909) by debbugs.gnu.org; 18 Sep 2022 18:53:35 +0000 Received: from localhost ([127.0.0.1]:51282 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oZzQ6-0004fK-Nt for submit@debbugs.gnu.org; Sun, 18 Sep 2022 14:53:35 -0400 Received: from andre.telenet-ops.be ([195.130.132.53]:46504) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oZzPz-0004ej-8n for 57909@debbugs.gnu.org; Sun, 18 Sep 2022 14:53:30 -0400 Received: from [192.168.81.79] ([188.189.249.226]) by andre.telenet-ops.be with bizsmtp id MWtP2800J4tpikC01WtPnu; Sun, 18 Sep 2022 20:53:24 +0200 Message-ID: <975274c2-e4da-e310-8a88-731e7c429828@telenet.be> Date: Sun, 18 Sep 2022 20:53:23 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: en-US From: Maxime Devos References: <966568a4-17f7-c0f0-25a4-6f6e2928b0e7@telenet.be> In-Reply-To: <966568a4-17f7-c0f0-25a4-6f6e2928b0e7@telenet.be> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1663527204; bh=u4YV0HGy1vKScbguWqd41mlPgbhEa3oOyWDrfBLXnTs=; h=Date:Subject:From:To:References:In-Reply-To; b=FeONfr2kCC4wC33hAEEMJ5Ilv51sMs06mXY9N0CM80EQzbCBILgQzUIIM6LE4qtbH 789PuWBQuc9At9NpVge/5LMqVdZ9u+cgBAaxrh35seh5VET6hlNw/Y1R7J7PDBZ1vx WfFUTq067Oql/LaYhD0d/ywtDizwLV+tEmVynplKh2Cjx2FpL/pmVPCu76fv+B3n9Q taGx+WjMkp1V/VuvIqYKsy49PBwKZqi79RqMtdECm1XSwrasGVGTK3Xa6tIzHSIl84 uPADaDFtLh2ntwHJlqOieQhKXutlFsS/VEtplB6zmbEkRs0X75F9M6CVVc2TR4SEMm Nw3YZPdG0HcpA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches On 18-09-2022 19:26, Maxime Devos wrote: > [...] > > As such, I propose that: > >   * you adjust the patch to note that authenticating the checkout is >     impossible if you don't already have Guix installed (instead of >     recommending the insecure "make authenticate") > >   * I write a patch removing "make authenticate" and adjusting old uses >     of "make authenticate" to "guix git authenticate ...". I have attached a patch for the latter. Greetings, Maxime. From a00ac3d016131f05c977e727f8ac15ea437aec7e Mon Sep 17 00:00:00 2001 From: Maxime Devos Date: Sun, 18 Sep 2022 19:52:16 +0200 Subject: [PATCH] WIP Only use "make authenticate" for etc/git/pre-push. As mentioned in , "make authenticate" cannot be used for authentication, as it makes use of a Makefile.am (and configure.ac) that might be provided by the attacker. As such, only use this is the etc/git/pre-push hook, where it can be reasonably assumed the current commit is 'safe' and it only needs to check that the safety is properly conveyed to other people (by having the commits be signed correctly). To aid with the transition from "make authenticate" to "guix git authenticate", print an error message from "make authenticate", directing the user to use the safe "guix git authenticate" instead. TODO missing: other uses of "make authenticate" in the documentation. * Makefile.am (authenticate): Rename to ... (authenticate-self-check): ... this, and add a new target (authenticate): that depends on authenticate-self-check and additionally prints the error message. * doc/contributing.texi (Commit Access): Adjust for target rename. * etc/git/pre-push: Adjust for target rename. --- Makefile.am | 20 ++++++++++++++------ doc/contributing.texi | 2 +- etc/git/pre-push | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/Makefile.am b/Makefile.am index 22dcc43f99..bfabf0bf2e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -16,6 +16,7 @@ # Copyright © 2019 Efraim Flashner # Copyright © 2021 Chris Marusich # Copyright © 2021 Andrew Tropin +# Copyright © 2022 Maxime Devos # # This file is part of GNU Guix. # @@ -804,12 +805,19 @@ channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA # Authenticate the current Git checkout by checking signatures on every commit. GUIX_GIT_KEYRING = origin/keyring -authenticate: +authentication_command = guix git authenticate '--keyring=$(GUIX_GIT_KEYRING)' --cache-key=channels/guix --stats '$(channel_intro_commit)' '$(channel_intro_signer)' +authenticate-self-check: $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=$(GUIX_GIT_KEYRING) \ - --cache-key=channels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" + $(authentication_command) +authenticate: authenticate-self-check + $(AM_V_at)echo "\"make authenticate\" is insecure, you need to run" + $(AM_V_at)echo "$(authentication_command)" + $(AM_V_at)echo "instead. Do **not** do that inside a ./pre-inst-env," + $(AM_V_at)echo "that would be insecure because of a TOCTTOU problem." + $(AM_V_at)echo "Because of the TOCTTOU problem, you likely cannot trust" + $(AM_V_at)echo "these instructions unless you have already" + $(AM_V_at)echo "authenticated the repository by other means." + $(AM_V_at)exit 1 # Assuming Guix is already installed and the daemon is up and running, this # rule builds from $(srcdir), creating and building derivations. @@ -1076,7 +1084,7 @@ cuirass-jobs: $(GOBJECTS) .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version .PHONY: assert-no-store-file-names assert-binaries-available .PHONY: assert-final-inputs-self-contained check-channel-news -.PHONY: clean-go make-go as-derivation authenticate +.PHONY: clean-go make-go as-derivation authenticate authenticate-self-check .PHONY: update-guix-package update-NEWS cuirass-jobs release # Downloading up-to-date PO files. diff --git a/doc/contributing.texi b/doc/contributing.texi index de1d34cc03..353cb71caf 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -1740,7 +1740,7 @@ git config user.signingkey CABBA6EA1DC0FF33 To check that commits are signed with correct key, use: @example -make authenticate +make authenticate-self-check @end example You can prevent yourself from accidentally pushing unsigned or signed diff --git a/etc/git/pre-push b/etc/git/pre-push index 59671b0d58..7fdc533d09 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -32,7 +32,7 @@ do # Only use the hook when pushing to Savannah. case "$2" in *.gnu.org*) - exec make authenticate check-channel-news + exec make authenticate-self-check check-channel-news exit 127 ;; *) base-commit: 31a56967e2869c916b7a5e8ee570e8e10f0210a5 prerequisite-patch-id: 2712efb97bf33985fd0658e4dd8e936dc08be5fe prerequisite-patch-id: 9d2409b480a8bff0fef029b4b095922d4957e06f prerequisite-patch-id: 51a32abca3efec1ba67ead59b8694c5ea3129ad3 prerequisite-patch-id: 9092927761a340c07a99f5f3ed314a6add04cdee prerequisite-patch-id: d0af09fbd5ee0ef60bdee53b87d729e46c1db2ca prerequisite-patch-id: 4fee177b2d8c9478c6a7b8ce1ca9072942f39863 -- 2.37.3