Re: [Nix-dev] Malicious installation methods

[Yui Hirasawa]

>> If you sign the script and it contains say sha512sums for the things it
>> pulls you don't have to sign them separately. It's similiar to how many
>> distributions only distribute one file with all the sums that is signed.
>
> I don't think there's no easy way for the user to verify  such sums, as
> they would be over large file trees. (Nix would do that but at this
> point they don't have/trust it yet.)

The user doesn't verify those sums or signatures, the installation
script does. The user only has to verify the installation script.

> Perhaps if we built one big self-extracting script and signed it... if
> you'd like to implement that ;-)


This is waht the script currently does:

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2";
    curl -L "$url" | bzcat | tar x -C "$unpack" || oops "failed to unpack 
\`$url'"

What it could do instead is:

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2";
    
sig="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2.sig";

    wget $url $sig || oops "download failed"
    gpg --verify "nix-1.11.2-$system.tar.bz2" "nix-1.11.2-$system.tar.bz2.sig" 
|| oops "verification failed"
    tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2"" || oops "unpacking 
failed"

Or you could just have the sha512sum embedded in the installation
script:

    case "$(uname -s).$(uname -m)" in
        Linux.x86_64) system=x86_64-linux
                      
sum="f3934610bdc68b276a362b9079b18dd6d28221a727ec71ed3a3a11fddcee59dd2fa1ac401b3a25d668e880c04bcd4c971cf82861820b5ff678353f7e7ba1bfc41
  nix-1.11.2-x86_64-linux.tar.bz2";;
        Linux.i?86) system=i686-linux
                    
sum="fa52b31a63603be5370c2a25ca9b192fbb8f50038904a9a4d590a6abefdb3b46c362d1f49dbee5fa09175ebdcbb84317615a3d647197da1485f5543d7ff7fc0a
  nix-1.11.2-i686-linux.tar.bz2";;
        Darwin.x86_64) system=x86_64-darwin
                       
sum="f0af3f2ca025fae9e026ce0ad53852d05faa0f11cf2a3be239d5dfec1a2c7f47cb9a43a17cd4c5894064fa9e99b444ab80b9ca0659011a21dc79269758c631ef6
  nix-1.11.2-x86_64-darwin.tar.bz2";;
        *) oops "sorry, there is no binary distribution of Nix for your 
platform";;
    esac

    url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2";

    wget $url $sig || oops "download failed"

    [ "$(sha512sum nix-1.11.2-$system.tar.bz2)" = "$sum" ] || oops 
"verification failed"

    tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2" || oops "unpacking 
failed"

Of course the gpg signature would be better because people can verify
that manually as well, instead of having to verify the installation
script and to verify the tarballs by proxy.
_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev