Handle signed narinfo files

[shlevy]

The binary cache substituter should be able to verify signed .narinfo files (and ensure that the downloaded .nar file matches the hash in the .narinfo file). This will help prevent MITM attacks and allow non-root users to use binary caches whose public keys have been trusted by root.

[vcunat]

What about starting to use this feature by default? Can Hydra produce signed caches?

[domenkozar]

@edolstra this is fixed, right?

[wmertens]

...and does Hydra have a key? Shouldn't we distribute that key with the default nix install?

[edolstra]

Hydra does provide a signed binary cache, but I'm not sure we should include the key in Nix because we don't really want to encourage people using Hydra's binary cache instead of cache.nixos.org.

Cache.nixos.org is not currently signed, though.

[wmertens]

Indeed. So what would it take to sign cache.nixos.org? I'm actually
surprised that the build products aren't the same? Are they not copies from
Hydra? I'm probably missing a piece in the Hydra->cache.nixos.org workflow.

On Thu Jan 22 2015 at 3:04:58 PM Eelco Dolstra notifications@github.com
wrote:

Hydra does provide a signed binary cache, but I'm not sure we should
include the key in Nix because we don't really want to encourage people
using Hydra's binary cache instead of cache.nixos.org.

Cache.nixos.org is not currently signed, though.

—
Reply to this email directly or view it on GitHub
#75 (comment).

[edolstra]

Yes, they're copied from Hydra, but the signatures are not copied.

Signing cache.nixos.org wouldn't be hard but it would require signing all NARs that are already there (which is quite a lot).

[vcunat]

Oh, I thought each NAR would have its own signature. Signatures should be small enough to afford that, well under a kilobyte IMHO.

[edolstra]

@vcunat It's actually the .narinfo files tar contain a signature:

$ curl http://hydra.nixos.org/la5imi1602jxhpds9675n2n2d0683lbq.narinfo
StorePath: /nix/store/la5imi1602jxhpds9675n2n2d0683lbq-glibc-2.20
URL: nar/la5imi1602jxhpds9675n2n2d0683lbq-glibc-2.20
Compression: bzip2
NarHash: sha256:1s536x07qfv6xzby6vc46h0lw207kfmllsyswa9d38h4ix3l429h
NarSize: 32411536
References: la5imi1602jxhpds9675n2n2d0683lbq-glibc-2.20 qwwxgsg6l33lhx0v75mgmb077qggh8yl-linux-headers-3.12.32
Deriver: acim6v6lskfyjxjw0gg8dk7mh6vx76yj-glibc-2.20.drv
System: x86_64-linux
Signature: 1;hydra.nixos.org-1;pTmO8ckMiKCUcxMAS5Qdd8Vly9CBnEm3J6ie1sP3HvqmWoYA0znlSJDeU19WXuLk/h8X1nlVk4vhLdVxBmgepSMPJoqbjPuEZoE4GvKeB/ZIB+RkSDZLV1n+Wrn4KZ81XN/oRxho8Po+rbO2qijs4YZXuW4eZP4WKy67JH2/Uj81hez0Yq5HXppJkgGAUEEkBl4v/dq9mvd9s0pxWijm5gy+E4YOG5bayYoPegBGpcNRMOzYPHhe3I/hJKGw8vhSExtNzQiJ0Hc0LjRR3Pnwmaiy5QXF8dHBjmD+RHsEAE8sE8TUBzwFKrjqFlC7oZaT2Lm/fUr5sSR1oSHogB0qTw==

[vcunat]

Why not start copying those *.narinfo with signatures just for NARs that are newly copied to the cache?

BTW, I wonder... cache.nixos.org has a different NarHash for this same narinfo. (There's a different compression, but docs say it's supposed to be hash of uncompressed NAR.) I guess it's some non-determinism/impurity, still even in glibc.

[edolstra]

cache.nixos.org uses base-16 in the NarHash field rather than base-32, but the actual hash is the same.