From unknown Fri Jun 20 20:10:39 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#34125 <34125@debbugs.gnu.org> To: bug#34125 <34125@debbugs.gnu.org> Subject: Status: Installation script needs to be secured with a gpg signature Reply-To: bug#34125 <34125@debbugs.gnu.org> Date: Sat, 21 Jun 2025 03:10:39 +0000 retitle 34125 Installation script needs to be secured with a gpg signature reassign 34125 guix submitter 34125 Bj=C3=B6rn H=C3=B6fling severity 34125 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 18 10:23:16 2019 Received: (at submit) by debbugs.gnu.org; 18 Jan 2019 15:23:16 +0000 Received: from localhost ([127.0.0.1]:36926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzG-0007Yr-Tl for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39826) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gkVzE-0007Yc-TM for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:13 -0500 Received: from lists.gnu.org ([209.51.188.17]:48187) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gkVz8-0006qB-D0 for submit@debbugs.gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50023) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz7-0006AA-Fv for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FROM_EXCESS_BASE64 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkVz6-0006nU-MA for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:05 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:40366 helo=bjoernhoefling.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz6-0006kX-GF for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:04 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id CEA163F964 for ; Fri, 18 Jan 2019 16:23:01 +0100 (CET) Date: Fri, 18 Jan 2019 16:23:01 +0100 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= To: Subject: Installation script needs to be secured with a gpg signature Message-ID: <20190118162301.52eaeb12@alma-ubu> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/D7MBdenhVprfjivowLdr_vR"; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 83.151.27.109 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I was looking at the installation video from Laura (not yet public) and wondered about that: We just download the installation script: $ wget https://.../guix-install.sh Then we go on directly executing that script. Shouldn't that be save-garded by a PGP-signature too? Because if it is not, the user could be tricked into a script that downloads a "bad" Guix installation tarball. That's what we are always criticising about others wget-scripts that install whatever to the user. WDYT? Bj=C3=B6rn --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEHvVQAKCRC/KGy2WT5f /VfvAJ9KbqNvMkpP6Jr9OoS3t7eRI7rLNwCfbwHosiBhxm6UMP+QYxLGe6KHhHE= =uUSC -----END PGP SIGNATURE----- --Sig_/D7MBdenhVprfjivowLdr_vR-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 22 02:18:38 2019 Received: (at 34125) by debbugs.gnu.org; 22 Jan 2019 07:18:38 +0000 Received: from localhost ([127.0.0.1]:40712 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1glqKT-0002Oh-V8 for submit@debbugs.gnu.org; Tue, 22 Jan 2019 02:18:38 -0500 Received: from sender-of-o53.zoho.com ([135.84.80.218]:21727) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1glqKR-0002OW-8d for 34125@debbugs.gnu.org; Tue, 22 Jan 2019 02:18:36 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1548141495; cv=none; d=zoho.com; s=zohoarc; b=ZHs6HLf6g//86SOpRKOpUOyHQiBoWwv6d/rU5eN8JxvmEOJKJUG0fX94zNWGSxBVe4ha0qP1hHaoTAEn19JM17eAfdWdOIbXRnO4AcWJh3x+HxM6bWfNGy8utbXG0fhdsrSkGh6eYOnLS3+wx2nb2ht4Ee5M/TfRDrs+CcQV+1I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1548141495; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=r7EddPUHsufUHzQM1ytIQU8+rP5pcDH6zgwq1n2Q2kQ=; b=Gi1cLNQYoyeLsEAKw9vStj6yqX0Fn42p9VV8fh6+MFkE51AauvTNq4Bw2z5YGUFu/NVN+Pz+NymB9u0NflGMX/r+GgjiPKivYscqHZyN4k0V5y/1rPIXAOi1bMdUnSaHoT/yUYteJsfBh0k/ONqzJTthPlOCS1FpALcSLE4+OyU= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1548141495; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=1647; bh=r7EddPUHsufUHzQM1ytIQU8+rP5pcDH6zgwq1n2Q2kQ=; b=KouEpApdgD0W59VSqAY9RtFd5o/dOul7Ua1K7G5HbGpkdE1emnT60qteqGX4wxkD ZLPrXMERaD7aFC+y3cXdzuVp6mfPvcIglZ89J0Thr5dGeG1uLdyAVmRxb9unKwSrzzJ WN0dPC4rKffEhRlUfqexzfb6BcyT1XmrTfpzXEaw= Received: from localhost (p578E7FB1.dip0.t-ipconnect.de [87.142.127.177]) by mx.zohomail.com with SMTPS id 154814149299410.644598586483198; Mon, 21 Jan 2019 23:18:12 -0800 (PST) References: <20190118162301.52eaeb12@alma-ubu> User-agent: mu4e 1.0; emacs 26.1 From: Ricardo Wurmus To: =?utf-8?Q?Bj=C3=B6rn_H=C3=B6fling?= Subject: Re: bug#34125: Installation script needs to be secured with a gpg signature In-reply-to: <20190118162301.52eaeb12@alma-ubu> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Tue, 22 Jan 2019 08:18:09 +0100 Message-ID: <87womxcg9a.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 34125 Cc: 34125@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Bj=C3=B6rn, > I was looking at the installation video from Laura (not yet public) and > wondered about that: > > We just download the installation script: > > $ wget https://.../guix-install.sh > > Then we go on directly executing that script. > > Shouldn't that be save-garded by a PGP-signature too? I don=E2=80=99t know. > Because if it is not, the user could be tricked into a script that > downloads a "bad" Guix installation tarball. To avoid having the user tricked we use HTTPS. At least the users will know that this file comes from the official project website. A user who is tricked into downloading a script from a malicious site could just as well download a matching signature from somewhere else, so the script body itself should be signed. We can=E2=80=99t sign the whole f= ile because the first line must be the shebang =E2=80=94 unless we forgo the sh= ebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to execute it= with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-sign=E2=80=9D adds a b= lock of text before and after the file, which would be a syntax error in a shell script. We are probably stuck with having a separate signature file. I don=E2=80= =99t know if it=E2=80=99s worth doing when HTTPS is used to fetch the script fro= m an authoritative source. > That's what we are always > criticising about others wget-scripts that install whatever to the user. The criticism is aimed at =E2=80=9Ccurl | sudo bash=E2=80=9D instructions t= hat execute scripts off the Internet without prior inspection as root. -- Ricardo From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 25 16:25:53 2019 Received: (at 34125-done) by debbugs.gnu.org; 25 Jan 2019 21:25:53 +0000 Received: from localhost ([127.0.0.1]:45636 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn8z3-0000W4-Ec for submit@debbugs.gnu.org; Fri, 25 Jan 2019 16:25:53 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:33510 helo=bjoernhoefling.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn8z1-0000Vt-Ux for 34125-done@debbugs.gnu.org; Fri, 25 Jan 2019 16:25:52 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id A81293F964; Fri, 25 Jan 2019 22:25:48 +0100 (CET) Date: Fri, 25 Jan 2019 22:25:47 +0100 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= To: Ricardo Wurmus Subject: Re: bug#34125: Installation script needs to be secured with a gpg signature Message-ID: <20190125222547.5a01b1dc@alma-ubu> In-Reply-To: <87womxcg9a.fsf@elephly.net> References: <20190118162301.52eaeb12@alma-ubu> <87womxcg9a.fsf@elephly.net> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/NUoSVMqc6ERi5IL7Km7Hlk1"; protocol="application/pgp-signature" X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: 34125-done Cc: 34125-done@debbugs.gnu.org, Laura Lazzati X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 22 Jan 2019 08:18:09 +0100 Ricardo Wurmus wrote: > Hi Bj=C3=B6rn, >=20 > > I was looking at the installation video from Laura (not yet public) > > and wondered about that: > > > > We just download the installation script: > > > > $ wget https://.../guix-install.sh > > > > Then we go on directly executing that script. > > > > Shouldn't that be save-garded by a PGP-signature too? =20 >=20 > I don=E2=80=99t know. >=20 > > Because if it is not, the user could be tricked into a script that > > downloads a "bad" Guix installation tarball. =20 >=20 > To avoid having the user tricked we use HTTPS. At least the users > will know that this file comes from the official project website. >=20 > A user who is tricked into downloading a script from a malicious site > could just as well download a matching signature from somewhere else, > so the script body itself should be signed. We can=E2=80=99t sign the wh= ole > file because the first line must be the shebang =E2=80=94 unless we forgo= the > shebang and the =E2=80=9Cchmod +x=E2=80=9D instruction and ask people to = execute it > with =E2=80=9Csudo bash guix-install.sh=E2=80=9D. =E2=80=9Cgpg --clear-s= ign=E2=80=9D adds a block of > text before and after the file, which would be a syntax error in a > shell script. >=20 > We are probably stuck with having a separate signature file. I don=E2=80= =99t > know if it=E2=80=99s worth doing when HTTPS is used to fetch the script f= rom > an authoritative source. >=20 OK, agreed. Let's close this. Bj=C3=B6rn --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEt+2wAKCRC/KGy2WT5f /QrRAJ0fbiuRugZd+xdn4MfCfos3eujofgCgh48kLTDPNJCpw1uMJ5E07m2jOg4= =zgDC -----END PGP SIGNATURE----- --Sig_/NUoSVMqc6ERi5IL7Km7Hlk1-- From unknown Fri Jun 20 20:10:39 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 23 Feb 2019 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator