From unknown Sun Jun 22 00:59:11 2025 X-Loop: help-debbugs@gnu.org Subject: bug#34125: Installation script needs to be secured with a gpg signature Resent-From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 18 Jan 2019 15:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 34125 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 34125@debbugs.gnu.org X-Debbugs-Original-To: Received: via spool by submit@debbugs.gnu.org id=B.154782499629076 (code B ref -1); Fri, 18 Jan 2019 15:24:01 +0000 Received: (at submit) by debbugs.gnu.org; 18 Jan 2019 15:23:16 +0000 Received: from localhost ([127.0.0.1]:36926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzG-0007Yr-Tl for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39826) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzE-0007Yc-TM for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:13 -0500 Received: from lists.gnu.org ([209.51.188.17]:48187) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gkVz8-0006qB-D0 for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50023) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz7-0006AA-Fv for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FROM_EXCESS_BASE64 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkVz6-0006nU-MA for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:05 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:40366 helo=bjoernhoefling.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz6-0006kX-GF for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:04 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id CEA163F964 for ; Fri, 18 Jan 2019 16:23:01 +0100 (CET) Date: Fri, 18 Jan 2019 16:23:01 +0100 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Message-ID: <20190118162301.52eaeb12@alma-ubu> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/D7MBdenhVprfjivowLdr_vR"; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 83.151.27.109 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.1 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I was looking at the installation video from Laura (not yet public) and wondered about that: We just download the installation script: $ wget https://.../guix-install.sh Then we go on directly executing that script. Shouldn't that be save-garded by a PGP-signature too? Because if it is not, the user could be tricked into a script that downloads a "bad" Guix installation tarball. That's what we are always criticising about others wget-scripts that install whatever to the user. WDYT? Bj=C3=B6rn --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEHvVQAKCRC/KGy2WT5f /VfvAJ9KbqNvMkpP6Jr9OoS3t7eRI7rLNwCfbwHosiBhxm6UMP+QYxLGe6KHhHE= =uUSC -----END PGP SIGNATURE----- --Sig_/D7MBdenhVprfjivowLdr_vR-- From unknown Sun Jun 22 00:59:11 2025 X-Loop: help-debbugs@gnu.org Subject: bug#34125: Installation script needs to be secured with a gpg signature Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 22 Jan 2019 07:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34125 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Cc: 34125@debbugs.gnu.org Received: via spool by 34125-submit@debbugs.gnu.org id=B34125.15481415189223 (code B ref 34125); Tue, 22 Jan 2019 07:19:01 +0000 Received: (at 34125) by debbugs.gnu.org; 22 Jan 2019 07:18:38 +0000 Received: from localhost ([127.0.0.1]:40712 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1glqKT-0002Oh-V8 for submit@debbugs.gnu.org; Tue, 22 Jan 2019 02:18:38 -0500 Received: from sender-of-o53.zoho.com ([135.84.80.218]:21727) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1glqKR-0002OW-8d for 34125@debbugs.gnu.org; Tue, 22 Jan 2019 02:18:36 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1548141495; cv=none; d=zoho.com; s=zohoarc; b=ZHs6HLf6g//86SOpRKOpUOyHQiBoWwv6d/rU5eN8JxvmEOJKJUG0fX94zNWGSxBVe4ha0qP1hHaoTAEn19JM17eAfdWdOIbXRnO4AcWJh3x+HxM6bWfNGy8utbXG0fhdsrSkGh6eYOnLS3+wx2nb2ht4Ee5M/TfRDrs+CcQV+1I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1548141495; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=r7EddPUHsufUHzQM1ytIQU8+rP5pcDH6zgwq1n2Q2kQ=; b=Gi1cLNQYoyeLsEAKw9vStj6yqX0Fn42p9VV8fh6+MFkE51AauvTNq4Bw2z5YGUFu/NVN+Pz+NymB9u0NflGMX/r+GgjiPKivYscqHZyN4k0V5y/1rPIXAOi1bMdUnSaHoT/yUYteJsfBh0k/ONqzJTthPlOCS1FpALcSLE4+OyU= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1548141495; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=1647; bh=r7EddPUHsufUHzQM1ytIQU8+rP5pcDH6zgwq1n2Q2kQ=; b=KouEpApdgD0W59VSqAY9RtFd5o/dOul7Ua1K7G5HbGpkdE1emnT60qteqGX4wxkD ZLPrXMERaD7aFC+y3cXdzuVp6mfPvcIglZ89J0Thr5dGeG1uLdyAVmRxb9unKwSrzzJ WN0dPC4rKffEhRlUfqexzfb6BcyT1XmrTfpzXEaw= Received: from localhost (p578E7FB1.dip0.t-ipconnect.de [87.142.127.177]) by mx.zohomail.com with SMTPS id 154814149299410.644598586483198; Mon, 21 Jan 2019 23:18:12 -0800 (PST) References: <20190118162301.52eaeb12@alma-ubu> User-agent: mu4e 1.0; emacs 26.1 From: Ricardo Wurmus In-reply-to: <20190118162301.52eaeb12@alma-ubu> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Tue, 22 Jan 2019 08:18:09 +0100 Message-ID: <87womxcg9a.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Bj=C3=B6rn, > I was looking at the installation video from Laura (not yet public) and > wondered about that: > > We just download the installation script: > > $ wget https://.../guix-install.sh > > Then we go on directly executing that script. > > Shouldn't that be save-garded by a PGP-signature too? I don=E2=80=99t know. > Because if it is not, the user could be tricked into a script that > downloads a "bad" Guix installation tarball. To avoid having the user tricked we use HTTPS. At least the users will know that this file comes from the official project website. A user who is tricked into downloading a script from a malicious site could just as well download a matching signature from somewhere else, so the script body itself should be signed. We can=E2=80=99t sign the whole f= ile because the first line must be the shebang =E2=80=94 unless we forgo the sh= ebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to execute it= with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-sign=E2=80=9D adds a b= lock of text before and after the file, which would be a syntax error in a shell script. We are probably stuck with having a separate signature file. I don=E2=80= =99t know if it=E2=80=99s worth doing when HTTPS is used to fetch the script fro= m an authoritative source. > That's what we are always > criticising about others wget-scripts that install whatever to the user. The criticism is aimed at =E2=80=9Ccurl | sudo bash=E2=80=9D instructions t= hat execute scripts off the Internet without prior inspection as root. -- Ricardo From unknown Sun Jun 22 00:59:11 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Subject: bug#34125: closed (Re: bug#34125: Installation script needs to be secured with a gpg signature) Message-ID: References: <20190125222547.5a01b1dc@alma-ubu> <20190118162301.52eaeb12@alma-ubu> X-Gnu-PR-Message: they-closed 34125 X-Gnu-PR-Package: guix Reply-To: 34125@debbugs.gnu.org Date: Fri, 25 Jan 2019 21:26:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1548451562-2007-1" This is a multi-part message in MIME format... ------------=_1548451562-2007-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #34125: Installation script needs to be secured with a gpg signature which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 34125@debbugs.gnu.org. --=20 34125: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34125 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1548451562-2007-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 34125-done) by debbugs.gnu.org; 25 Jan 2019 21:25:53 +0000 Received: from localhost ([127.0.0.1]:45636 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn8z3-0000W4-Ec for submit@debbugs.gnu.org; Fri, 25 Jan 2019 16:25:53 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:33510 helo=bjoernhoefling.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn8z1-0000Vt-Ux for 34125-done@debbugs.gnu.org; Fri, 25 Jan 2019 16:25:52 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id A81293F964; Fri, 25 Jan 2019 22:25:48 +0100 (CET) Date: Fri, 25 Jan 2019 22:25:47 +0100 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= To: Ricardo Wurmus Subject: Re: bug#34125: Installation script needs to be secured with a gpg signature Message-ID: <20190125222547.5a01b1dc@alma-ubu> In-Reply-To: <87womxcg9a.fsf@elephly.net> References: <20190118162301.52eaeb12@alma-ubu> <87womxcg9a.fsf@elephly.net> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/NUoSVMqc6ERi5IL7Km7Hlk1"; protocol="application/pgp-signature" X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: 34125-done Cc: 34125-done@debbugs.gnu.org, Laura Lazzati X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 22 Jan 2019 08:18:09 +0100 Ricardo Wurmus wrote: > Hi Bj=C3=B6rn, >=20 > > I was looking at the installation video from Laura (not yet public) > > and wondered about that: > > > > We just download the installation script: > > > > $ wget https://.../guix-install.sh > > > > Then we go on directly executing that script. > > > > Shouldn't that be save-garded by a PGP-signature too? =20 >=20 > I don=E2=80=99t know. >=20 > > Because if it is not, the user could be tricked into a script that > > downloads a "bad" Guix installation tarball. =20 >=20 > To avoid having the user tricked we use HTTPS. At least the users > will know that this file comes from the official project website. >=20 > A user who is tricked into downloading a script from a malicious site > could just as well download a matching signature from somewhere else, > so the script body itself should be signed. We can=E2=80=99t sign the wh= ole > file because the first line must be the shebang =E2=80=94 unless we forgo= the > shebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to = execute it > with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-s= ign=E2=80=9D adds a block of > text before and after the file, which would be a syntax error in a > shell script. >=20 > We are probably stuck with having a separate signature file. I don=E2=80= =99t > know if it=E2=80=99s worth doing when HTTPS is used to fetch the script f= rom > an authoritative source. >=20 OK, agreed. Let's close this. Bj=C3=B6rn --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEt+2wAKCRC/KGy2WT5f /QrRAJ0fbiuRugZd+xdn4MfCfos3eujofgCgh48kLTDPNJCpw1uMJ5E07m2jOg4= =zgDC -----END PGP SIGNATURE----- --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1-- ------------=_1548451562-2007-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 18 Jan 2019 15:23:16 +0000 Received: from localhost ([127.0.0.1]:36926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzG-0007Yr-Tl for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39826) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzE-0007Yc-TM for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:13 -0500 Received: from lists.gnu.org ([209.51.188.17]:48187) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gkVz8-0006qB-D0 for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50023) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz7-0006AA-Fv for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FROM_EXCESS_BASE64 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkVz6-0006nU-MA for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:05 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:40366 helo=bjoernhoefling.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz6-0006kX-GF for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:04 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id CEA163F964 for ; Fri, 18 Jan 2019 16:23:01 +0100 (CET) Date: Fri, 18 Jan 2019 16:23:01 +0100 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= To: Subject: Installation script needs to be secured with a gpg signature Message-ID: <20190118162301.52eaeb12@alma-ubu> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/D7MBdenhVprfjivowLdr_vR"; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 83.151.27.109 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I was looking at the installation video from Laura (not yet public) and wondered about that: We just download the installation script: $ wget https://.../guix-install.sh Then we go on directly executing that script. Shouldn't that be save-garded by a PGP-signature too? Because if it is not, the user could be tricked into a script that downloads a "bad" Guix installation tarball. That's what we are always criticising about others wget-scripts that install whatever to the user. WDYT? Bj=C3=B6rn --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEHvVQAKCRC/KGy2WT5f /VfvAJ9KbqNvMkpP6Jr9OoS3t7eRI7rLNwCfbwHosiBhxm6UMP+QYxLGe6KHhHE= =uUSC -----END PGP SIGNATURE----- --Sig_/D7MBdenhVprfjivowLdr_vR-- ------------=_1548451562-2007-1--