New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] 1password: check binary code signature during build #42580
Conversation
Check binary code signatures during `checkPhase` using upstream code signing key.
Tested ACK, seems to work. nice!
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
LGTM 👍 |
👎 I don't like ad-hoc uses like this. Maybe a setup hook would be better? |
A setup hook might be a good idea for signed tarballs. In this case, the tarball itself isn't signed but contains a binary and a signature file. I don't see a good generic solution for this. |
Not in this case, but in case of signed tarbals it would make sense to extend fetchurl {
url = "....";
sha256 = "....";
public_key = ./1password.pub.key;
} |
Another question: should we be committing keys to the repo or fetching them? A large number of public keys may take up a decent amount of space over time? |
In the long run it would be better to fetch and cache them like we do with sources or patches. |
Yes this is definitely a good concern. Also what security does the signature add that the sha256 doesn't have? For both we have to trust that the signature in Nixpkgs is valid & not been tampered with. We should just tell people to verify the signature before updating the sha256 hash in pull requests updating 1password. |
These things always come down to "you gotta trust something in the beginning". |
Another thing that would be nice:
I'm currently in the process of upgrading the trezor bridge: the release
tagged commit is signed but the hash I'm getting from fetchFromGitHub is
not. I'm trying to re-create the hash with nix-hash without any luck.
It would be cool if there was a way to provide a public key to fetchgit,
which would verify the commit with git-verify-commit after checkout.
|
downloads a pgp public key and verifies its fingerprint
Using this as an example to create helpers for verifying signed code. I plan to implement a setup hook with some functions for signature verification next. |
Using this as an example to create helpers for verifying signed code.
I plan to implement a setup hook with some functions for signature
verification next.
awesome!
|
continued in #43233, which aims at a more general solution |
Motivation for this change
Check binary code signatures during
checkPhase
using upstream code signing key.I don't use 1password myself (it's an unfree, commercial service) but the discussion in #42539 prompted me to try this because code signing is a topic that needs more attention in nixpkgs anyway.
cc @jb55 @marsam for testing.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)