andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: + | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
star_cloud has quit [Ping timeout: 260 seconds]
star_cloud has joined #nixos-security
<Irenes> I have a question
<Irenes> it's a brainstorming question
<Irenes> I'm working on signed-boot stuff
<Irenes> there's a whole chain of trust, so don't think of this in terms of signing some particular build artifact, or even running some specific signing tool
<Irenes> it's a general problem of producing build artifacts that incorporate signatures
<Irenes> I want to enable users to be present to oversee the build and do the signing step themselves - for example, by unlocking a hardware token
<Irenes> that's fundamentally interactive
<Irenes> there are other ways to do this, fully automated ways, but I think they're mostly useful for large corporations; for *individuals* managing their own artifacts, I think interactive flows are best
<Irenes> in particular I think most individuals don't have the ability to prepare and maintain a server that they don't have access to :)
<Irenes> so the question is
<Irenes> how do I reconcile that interactive step with the nix build process?
<Irenes> one option that I think is *off* the table is to actually prompt the user to authenticate from inside a build script
<Irenes> that would break all sorts of things
<Irenes> the closest thing I can think of is the "please accept the license" thing that used to come up
<Irenes> but I notice that recent NixOS versions have turned that into a config option
<Irenes> which makes sense for licenses, but does not make sense for signing
<qyliss> Irenes: what license accepting thing are you referring to? Do you mean the thing where you have to download some file yourself and nix-store --add it manually?
<Irenes> is that a thing still? I feel like that stopped being a thing
<Irenes> wasn't there like a Mozilla license or something?
<Irenes> to use Firefox instead of Iceweasel?
<Irenes> I'm vague on it
<qyliss> not that I've ever seen
<qyliss> the adding to the store thing is still in use, for when we can't legally redistribute binaries or download them on a user's behalf
<Irenes> oh, I figured out what I was thinking of (by grepping my config)
<qyliss> it's not intended to be an interactive check -- it just works that way because there's no alternative
<Irenes> oraclejdk.accept_license
<Irenes> hmm
<Irenes> I see
<Irenes> so I guess, following that model, what I could do is create a separate command that signs the build artifacts and adds the signed copies to the store
<Irenes> although
<qyliss> I think interactive signing would have to be done after the Nix build
<Irenes> I'm not sure that making it deterministic is consistent with security, I'll have to chew on that
<Irenes> well
<Irenes> if it can't be added to the store, that's a limitation on deployment because it means I also can't use nixos-rebuild to make it active
<qyliss> your only other option would be to have some sort of two stage build, where you build, sign, and then build something else that takes the signed versions as inptus
<Irenes> check my assumption, if signing is not a deterministic function of the payload and the public key (for example, if it incorporates a random salt to mitigate dictionary attacks, or anything like that), I can't add the products of signing to the store and have it work?
<Irenes> right, yeah
<Irenes> I mean, I guess I was imagining a three-stage build
<Irenes> 1. nixos-rebuild -> it errors out and says here's your build products, sign them
<Irenes> 2. invoke my new signing tool
<Irenes> 3. nixos-rebuild again
<qyliss> yes, that would work
<qyliss> your signing tool would have to write something that would affect evaluation
<qyliss> a json file containing signatures, for example
<Irenes> except non-determinism breaks it, right? because the nix store is content-addressed?
<qyliss> that could be imported by your nix expression
<Irenes> hm
<qyliss> the nix store is not content addressed, but that's also not relevant here
<Irenes> I see what you mean. I was thinking of using the store as the thing that affects evaluation.
<Irenes> but it doesn't have to be.
<Irenes> I guess it's also true that signed blobs are going to be precious in a way that typical build products are not
<Irenes> so perhaps the store isn't the best way to manage them
<qyliss> well, you can add them to the store if you want, and they'll end up there anyway as part of the second build, but it doesn't buy you very much
<Irenes> hm yeah
<Irenes> okay
<qyliss> I suppose it means you don't have to worry about storing them anywhere else in the meantime
<Irenes> okay. I think this general flow makes sense.
<Irenes> I wonder if there's a better way to communicate from step 1 to step 2
<Irenes> rather than just telling the user the full filename
<qyliss> "run the following command and try again" would be the way I'd go for that
<Irenes> sure
<Irenes> but I mean, without a huge 50-character hash in the command
<qyliss> ahh
<qyliss> I don't think so, because in your build you can only write to the store
<Irenes> I mean, I could be convinced that that's a feature, but it feels weird
<Irenes> hm
<Irenes> yeah
<qyliss> so you have no way to produce a shorter path
<Irenes> okay
<qyliss> or, well
<Irenes> this makes sense, I think
<qyliss> there is a way you can avoid it I just thought of, but I don't think it'd be worth it
<qyliss> which is that you could have your tool evaluate the Nix expression and discover the outPath for itself
<qyliss> but I don't think that would be a good idea
<Irenes> lol oh
<Irenes> yes
<Irenes> I agree
<Irenes> that is the opposite of small composable pieces :)
<Irenes> neat thought though
<Irenes> okay. thanks for talking this through. some of the compromises are uncomfortable ones, so it was helpful to hear that you see them as necessary also.
Synthetica has quit [Quit: Connection closed for inactivity]
justanotheruser has quit [Ping timeout: 260 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Quit: WeeChat 2.9]
rajivr has joined #nixos-security
justanotheruser has joined #nixos-security
lukegb has joined #nixos-security
aminechikhaoui8 has joined #nixos-security
eyJhbV2 has joined #nixos-security
eyJhb has quit [*.net *.split]
ddima_ has quit [*.net *.split]
migy has quit [*.net *.split]
tv has quit [*.net *.split]
V has quit [*.net *.split]
eyJhbV2 is now known as eyJhb
aminechikhaoui8 is now known as aminechikhaoui
eyJhb has joined #nixos-security
eyJhb has quit [Changing host]
ddima_ has joined #nixos-security
migy has joined #nixos-security
tv has joined #nixos-security
asymmetric has joined #nixos-security
kgz has joined #nixos-security
V has joined #nixos-security
cole-h has quit [Ping timeout: 260 seconds]
Raito_Bezarius has quit [*.net *.split]
cwfefifofum[m] has quit [*.net *.split]
ddima_ has quit [*.net *.split]
migy has quit [*.net *.split]
tv has quit [*.net *.split]
asymmetric has quit [*.net *.split]
V has quit [*.net *.split]
kgz has quit [*.net *.split]
aminechikhaoui has quit [*.net *.split]
ajs124 has quit [*.net *.split]
julm has quit [*.net *.split]
dotlambda has quit [*.net *.split]
c4rc4s has quit [*.net *.split]
ivan has quit [*.net *.split]
justanotheruser has quit [*.net *.split]
Irenes has quit [*.net *.split]
ehmry has quit [*.net *.split]
hexa- has quit [*.net *.split]
alexbakker has quit [*.net *.split]
bridge[evilred] has quit [*.net *.split]
mcint has quit [*.net *.split]
nh2[m] has quit [*.net *.split]
pie_ has quit [*.net *.split]
MichaelRaskin has quit [*.net *.split]
zgrep has quit [*.net *.split]
tokudan has quit [*.net *.split]
cemguresci[m] has quit [*.net *.split]
JJJollyjim has quit [*.net *.split]
danielrf[m] has quit [*.net *.split]
lukegb has quit [*.net *.split]
supersandro2000 has quit [*.net *.split]
jpo has quit [*.net *.split]
raboof has quit [*.net *.split]
blueberrypie has quit [*.net *.split]
thefloweringash has quit [*.net *.split]
julianst[m] has quit [*.net *.split]
aanderse has quit [*.net *.split]
hax404 has quit [*.net *.split]
kalbasit[m] has quit [*.net *.split]
Yakulu[m] has quit [*.net *.split]
colemickens has quit [*.net *.split]
jdnixx-M1 has quit [*.net *.split]
SushiDude[m] has quit [*.net *.split]
immae has quit [*.net *.split]
joepie91 has quit [*.net *.split]
elvishjerricco has quit [*.net *.split]
feepo has quit [*.net *.split]
Guest86361 has quit [*.net *.split]
rajivr has quit [*.net *.split]
prusnak has quit [*.net *.split]
midchildan has quit [*.net *.split]
eyJhb has quit [*.net *.split]
qyliss has quit [*.net *.split]
das_j has quit [*.net *.split]
mschwaig has quit [*.net *.split]
maljub01 has quit [*.net *.split]
stigo has quit [*.net *.split]
ris has quit [*.net *.split]
lassulus has quit [*.net *.split]
ikwildrpepper has quit [*.net *.split]
star_cloud has quit [*.net *.split]
davidtwco has quit [*.net *.split]
globin_ has quit [Ping timeout: 245 seconds]
qyliss has joined #nixos-security
globin_ has joined #nixos-security
tokudan has joined #nixos-security
<ris> opinions on #120935 sought
<{^_^}> (by risicle, 3 days ago, open): [20.09] qemu: 5.1.0 -> 5.2.0
<qyliss> ris: have you asked the RMs?
<qyliss> that's who a decision like this really comes dow nto
<ris> who is that for 20.09?
<ris> think it might have been jonringer
<qyliss> worldofpeace and jonringer
<qyliss> so just jonringer now
<ris> yup cool thanks
<qyliss> the current RMs are always in the topic of #nixos-dev
<ris> ah yes good point
qyliss has quit [Quit: bye]
qyliss has joined #nixos-security
supersandro2000 has joined #nixos-security
cole-h has joined #nixos-security
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixos-security
andi- has joined #nixos-security
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
davidtwco has joined #nixos-security
midchildan has joined #nixos-security
davidtwco has quit [Ping timeout: 260 seconds]
tokudan has quit [Remote host closed the connection]
elvishjerricco has joined #nixos-security
davidtwco has joined #nixos-security
elvishjerricco has quit [Max SendQ exceeded]
tokudan has joined #nixos-security
feepo has joined #nixos-security
elvishjerricco has joined #nixos-security
raboof has joined #nixos-security
Guest86361 has joined #nixos-security
star_cloud has joined #nixos-security
ris has joined #nixos-security
supersandro2000 is now known as Guest38188
supersandro2000 has joined #nixos-security
Guest38188 has quit [Ping timeout: 240 seconds]