From 0fdf4da0e979f992db75cc17376e455ddc5a96d8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 8 Jan 2014 15:23:41 +0100 Subject: Support cryptographically signed binary caches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75. --- scripts/download-from-binary-cache.pl.in | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'scripts/download-from-binary-cache.pl.in') diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 950bcd178527..e6925d7316d0 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -42,6 +42,8 @@ my $caBundle = $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"}; my $userName = getpwuid($<) or die "cannot figure out user name"; +my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0"; + sub addRequest { my ($storePath, $url, $head) = @_; @@ -120,9 +122,10 @@ sub processRequests { sub initCache { - my $dbPath = "$Nix::Config::stateDir/binary-cache-v2.sqlite"; + my $dbPath = "$Nix::Config::stateDir/binary-cache-v3.sqlite"; unlink "$Nix::Config::stateDir/binary-cache-v1.sqlite"; + unlink "$Nix::Config::stateDir/binary-cache-v2.sqlite"; # Open/create the database. $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "") @@ -159,7 +162,7 @@ EOF narSize integer, refs text, deriver text, - system text, + signedBy text, timestamp integer not null, primary key (cache, storePath), foreign key (cache) references BinaryCaches(id) on delete cascade @@ -183,7 +186,7 @@ EOF $insertNAR = $dbh->prepare( "insert or replace into NARs(cache, storePath, url, compression, fileHash, fileSize, narHash, " . - "narSize, refs, deriver, system, timestamp) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") or die; + "narSize, refs, deriver, signedBy, timestamp) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") or die; $queryNAR = $dbh->prepare("select * from NARs where cache = ? and storePath = ?") or die; @@ -309,14 +312,16 @@ sub processNARInfo { return undef; } - my $narInfo = parseNARInfo($storePath, $request->{content}); + my $narInfo = parseNARInfo($storePath, $request->{content}, $requireSignedBinaryCaches, $request->{url}); return undef unless defined $narInfo; + die if $requireSignedBinaryCaches && !defined $narInfo->{signedBy}; + # Cache the result. $insertNAR->execute( $cache->{id}, basename($storePath), $narInfo->{url}, $narInfo->{compression}, $narInfo->{fileHash}, $narInfo->{fileSize}, $narInfo->{narHash}, $narInfo->{narSize}, - join(" ", @{$narInfo->{refs}}), $narInfo->{deriver}, $narInfo->{system}, time()) + join(" ", @{$narInfo->{refs}}), $narInfo->{deriver}, $narInfo->{signedBy}, time()) if shouldCache $request->{url}; return $narInfo; @@ -330,6 +335,10 @@ sub getCachedInfoFrom { my $res = $queryNAR->fetchrow_hashref(); return undef unless defined $res; + # We may previously have cached this info when signature checking + # was disabled. In that case, ignore the cached info. + return undef if $requireSignedBinaryCaches && !defined $res->{signedBy}; + return { url => $res->{url} , compression => $res->{compression} @@ -339,6 +348,7 @@ sub getCachedInfoFrom { , narSize => $res->{narSize} , refs => [ split " ", $res->{refs} ] , deriver => $res->{deriver} + , signedBy => $res->{signedBy} } if defined $res; } @@ -522,7 +532,8 @@ sub downloadBinary { next; } my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs - print STDERR "\n*** Downloading ‘$url’ to ‘$storePath’...\n"; + die if $requireSignedBinaryCaches && !defined $info->{signedBy}; + print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n"; checkURL $url; if (system("$Nix::Config::curl --fail --location --insecure '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { warn "download of `$url' failed" . ($! ? ": $!" : "") . "\n"; @@ -530,6 +541,7 @@ sub downloadBinary { } # Tell Nix about the expected hash so it can verify it. + die unless defined $info->{narHash} && $info->{narHash} ne ""; print "$info->{narHash}\n"; print STDERR "\n"; -- cgit 1.4.1