Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] 1password: check binary code signature during build #42580

Closed
wants to merge 5 commits into from
Closed

[WIP] 1password: check binary code signature during build #42580

wants to merge 5 commits into from

Conversation

xeji
Copy link
Contributor

@xeji xeji commented Jun 25, 2018

Motivation for this change

Check binary code signatures during checkPhase using upstream code signing key.
I don't use 1password myself (it's an unfree, commercial service) but the discussion in #42539 prompted me to try this because code signing is a topic that needs more attention in nixpkgs anyway.

cc @jb55 @marsam for testing.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@xeji xeji mentioned this pull request Jun 25, 2018
Merged
9 tasks
@jb55
Copy link
Contributor

jb55 commented Jun 25, 2018 via email

jb55
jb55 approved these changes Jun 25, 2018
View reviewed changes
Copy link
Contributor

@jb55 jb55 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@marsam
Copy link
Contributor

marsam commented Jun 25, 2018

LGTM 👍

@matthewbauer
Copy link
Member

👎 I don't like ad-hoc uses like this. Maybe a setup hook would be better?

@xeji
Copy link
Contributor Author

xeji commented Jun 25, 2018

A setup hook might be a good idea for signed tarballs. In this case, the tarball itself isn't signed but contains a binary and a signature file. I don't see a good generic solution for this.

@garbas
Copy link
Member

garbas commented Jun 26, 2018

Not in this case, but in case of signed tarbals it would make sense to extend fetchurl to also allow checking for signatures, eg:

fetchurl {
  url = "....";
  sha256 = "....";
  public_key = ./1password.pub.key;
}

@jb55
Copy link
Contributor

jb55 commented Jun 26, 2018

Another question: should we be committing keys to the repo or fetching them? A large number of public keys may take up a decent amount of space over time?

@xeji
Copy link
Contributor Author

xeji commented Jun 26, 2018

In the long run it would be better to fetch and cache them like we do with sources or patches.
But that requires a stable download URL plus an additional step of verifying the key's fingerprint.
Probably leads to an abstraction like fetchpubkey ...

@matthewbauer
Copy link
Member

matthewbauer commented Jun 26, 2018
edited

Another question: should we be committing keys to the repo or fetching them? A large number of public keys may take up a decent amount of space over time?

Yes this is definitely a good concern. Also what security does the signature add that the sha256 doesn't have? For both we have to trust that the signature in Nixpkgs is valid & not been tampered with. We should just tell people to verify the signature before updating the sha256 hash in pull requests updating 1password.

@xeji
Copy link
Contributor Author

xeji commented Jun 26, 2018

These things always come down to "you gotta trust something in the beginning".
Still better than trusting a sha256 on a TOFU basis because the public keys, as opposed to sha256 hashes, are typically long-term and rarely change. Makes it more likely that attacks will be spotted.

@jb55
Copy link
Contributor

jb55 commented Jun 26, 2018 via email

xeji added 2 commits July 8, 2018 00:59
@xeji
build-support: add fetchpgpkey
29f723b 
downloads a pgp public key and verifies its fingerprint
@xeji
1password: use fetchpgpkey
aefefec
@xeji xeji changed the title 1password: check binary code signature during build [WIP] 1password: check binary code signature during build Jul 7, 2018
@xeji
Copy link
Contributor Author

xeji commented Jul 7, 2018

Using this as an example to create helpers for verifying signed code. I plan to implement a setup hook with some functions for signature verification next.

@jb55
Copy link
Contributor

jb55 commented Jul 8, 2018 via email

@xeji xeji requested a review from Ericson2314 as a code owner July 8, 2018 12:30
@xeji
Copy link
Contributor Author

xeji commented Jul 8, 2018

continued in #43233, which aims at a more general solution

@xeji xeji closed this Jul 8, 2018
@xeji xeji deleted the p/checksig-1password branch July 8, 2018 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puffnfresh puffnfresh puffnfresh approved these changes

@jb55 jb55 jb55 approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

Assignees
No one assigned
Labels
2.status: work-in-progress 6.topic: fetch 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@xeji @jb55 @marsam @matthewbauer @garbas @puffnfresh @GrahamcOfBorg