Hi, On lun., 30 mai 2022 at 01:45, kias...@disroot.org wrote:
> Authenticate a tarball through a signed tag in a git repository (with > reproducible builds). > > Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/ In this post, it reads: Personally - if I had to decide between these two - I’d prefer the later because I can always try to authenticate the pinned tarball later on, which is the case for Guix. Even, Guix is somehow already implementing this third way because each commit modifying a package is signed. From the post, the file ’chrisduerr.pgp’ and ’kchibisov.pgp’ are the Guix committer keys [1]. (Hum, I do not understand what this means: but it’s impossible to know for sure which source code has been used if all I know is “something that had a valid signature on it”. but that’s another story. :-)) Well, in this frame about security, the question is: who trusts who? I do not think that the addition of an automatic signature check of source code’s author key enforces more security for Guix users. It adds more complexity and does not fix the current bottleneck of trust: the Guix packager and Guix committer. Other said, if you do not trust the Guix packagers and Guix committers, then you have to personally check the authenticity of the source code. Using an automatic process with data from Guix packages or Guix committers contradicts the assumption «you do not trust them». Therefore, it does not fix the current weakness. However, such ’auth-tarball-from-git’ can be of high interest when Submitting Patching [2]: 2. If the authors of the packaged software provide a cryptographic signature for the release tarball, make an effort to verify the authenticity of the archive. For a detached GPG signature file this would be done with the gpg --verify command. Cheers, simon 1: <https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations> 2: <https://guix.gnu.org/manual/devel/en/guix.html#Submitting-Patches>