Hi!
John Kehayias <john.kehay...@protonmail.com> skribis:
> In 2020, the "guix git authenticate" tool was added in order to secure
> updates (1). This protection is still intact! The tool also had the
> secondary effect of protecting developers against malicious commits
> while we are developing. In fact, the manual currently recommends that
> all developers run "make authenticate" after every pull for this
> purpose (2).
>
> Unfortunately, it turns out that "make authenticate" can itself be
> used as an attack vector. The core of the problem is that "make
> authenticate" uses the Makefile before the commits have been
> authenticated, allowing an attacker to replace the Makefile with a
> malicious version. The attacker would need the ability to inject the
> malicious commit into the data you pull: for example, by compromising
> the Savannah server or poisoning a DNS cache. The attached report
> contains full details and a proof of concept.
Yes, that is a problem. (Initially, the ‘authenticate’ target would
even run ‘guix git authenticate’ from the very repo we want to
authenticate, because ‘guix git authenticate’ wasn’t widespread yet (see
commit 1dba0b4557e67b32e64d98c807fb376604e5d19b). And actually the
target predates ‘guix git authenticate’ (see
1e43ab2c032834e43a43eb4c27d6a50bf66b86ba).)
Good news is that starting from yesterday, ‘guix git authenticate’
addresses several usability issues; quoth news.scm:
Usage of the @command{guix git authenticate} command has been
simplified. The command is useful to channel authors and to developers
willing to validate the provenance of their code.
On your first use, @command{guix git authenticate} will now record the commit
and signer (the @dfn{introduction}) in the @file{.git/config} file of your
repository so that you don't have to pass them on the command line in
subsequent runs. It will also install pre-push and post-merge hooks,
unless preexisting hooks are found.
(See <https://issues.guix.gnu.org/69780>.)
So now we can remove the ‘authenticate’ target and update our doc to
recommend running plain ‘guix git authenticate’.
Thoughts?
Ludo’.
