Handle signed narinfo files #75
Comments
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
|
What about starting to use this feature by default? Can Hydra produce signed caches? |
|
@edolstra this is fixed, right? |
|
...and does Hydra have a key? Shouldn't we distribute that key with the default nix install? |
|
Hydra does provide a signed binary cache, but I'm not sure we should include the key in Nix because we don't really want to encourage people using Hydra's binary cache instead of cache.nixos.org. Cache.nixos.org is not currently signed, though. |
|
Indeed. So what would it take to sign cache.nixos.org? I'm actually On Thu Jan 22 2015 at 3:04:58 PM Eelco Dolstra [email protected]
|
|
Yes, they're copied from Hydra, but the signatures are not copied. Signing cache.nixos.org wouldn't be hard but it would require signing all NARs that are already there (which is quite a lot). |
|
Oh, I thought each NAR would have its own signature. Signatures should be small enough to afford that, well under a kilobyte IMHO. |
|
@vcunat It's actually the .narinfo files tar contain a signature: |
|
Why not start copying those *.narinfo with signatures just for NARs that are newly copied to the cache? BTW, I wonder... cache.nixos.org has a different NarHash for this same narinfo. (There's a different compression, but docs say it's supposed to be hash of uncompressed NAR.) I guess it's some non-determinism/impurity, still even in glibc. |
|
|
|
All of cache.nixos.org is signed now. |
Continuous Integration with GitHub Actions
The binary cache substituter should be able to verify signed .narinfo files (and ensure that the downloaded .nar file matches the hash in the .narinfo file). This will help prevent MITM attacks and allow non-root users to use binary caches whose public keys have been trusted by root.
The text was updated successfully, but these errors were encountered: