GNU bug report logs - #34125
Installation script needs to be secured with a gpg signature

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Björn Höfling
 <bjoern.hoefling <at> bjoernhoefling.de>
Subject: bug#34125: closed (Re: bug#34125: Installation script needs to be
 secured with a gpg signature)
Date: Fri, 25 Jan 2019 21:26:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#34125: Installation script needs to be secured with a gpg signature

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 34125 <at> debbugs.gnu.org.

-- 
34125: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34125
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 34125-done <at> debbugs.gnu.org, Laura Lazzati <laura.lazzati.15 <at> gmail.com>
Subject: Re: bug#34125: Installation script needs to be secured with a gpg
 signature
Date: Fri, 25 Jan 2019 22:25:47 +0100

[Message part 3 (text/plain, inline)]

On Tue, 22 Jan 2019 08:18:09 +0100
Ricardo Wurmus <rekado <at> elephly.net> wrote:

> Hi Björn,
> 
> > I was looking at the installation video from Laura (not yet public)
> > and wondered about that:
> >
> > We just download the installation script:
> >
> > $ wget https://.../guix-install.sh
> >
> > Then we go on directly executing that script.
> >
> > Shouldn't that be save-garded by a PGP-signature too?  
> 
> I don’t know.
> 
> > Because if it is not, the user could be tricked into a script that
> > downloads a "bad" Guix installation tarball.  
> 
> To avoid having the user tricked we use HTTPS.  At least the users
> will know that this file comes from the official project website.
> 
> A user who is tricked into downloading a script from a malicious site
> could just as well download a matching signature from somewhere else,
> so the script body itself should be signed.  We can’t sign the whole
> file because the first line must be the shebang — unless we forgo the
> shebang and the “chmod +x” instruction and ask people to execute it
> with “sudo bash guix-install.sh”.  “gpg --clear-sign” adds a block of
> text before and after the file, which would be a syntax error in a
> shell script.
> 
> We are probably stuck with having a separate signature file.  I don’t
> know if it’s worth doing when HTTPS is used to fetch the script from
> an authoritative source.
> 

OK, agreed. Let's close this.

Björn

[Message part 4 (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: <bug-guix <at> gnu.org>
Subject: Installation script needs to be secured with a gpg signature
Date: Fri, 18 Jan 2019 16:23:01 +0100

[Message part 6 (text/plain, inline)]

I was looking at the installation video from Laura (not yet public) and
wondered about that:

We just download the installation script:

$ wget https://.../guix-install.sh

Then we go on directly executing that script.

Shouldn't that be save-garded by a PGP-signature too?

Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.

WDYT?

Björn

[Message part 7 (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.