From 752f967c0fe2489fe13d8c2c65c3ecba72064adc Mon Sep 17 00:00:00 2001 From: John Ericson Date: Thu, 22 Sep 2022 10:43:48 -0400 Subject: [PATCH 1/3] "valid signature" -> "trustworthy signature" I just had a colleague get confused by the previous phrase for good reason. "valid" sounds like an *objective* criterion, e.g. and *invalid signature* would be one that would be trusted by no one, e.g. because it misformatted or something. What is actually going is that there might be a signature which is perfectly valid to *someone else*, but not to the user, because they don't trust the corresponding public key. This is a *subjective* criterion, because it depends on the arbitrary and personal choice of which public keys to trust. I therefore think "trustworthy" is a better adjective to use. Whether something is worthy of trust is clearly subjective, and then "trust" within that word nicely evokes `trusted-public-keys` and friends. --- src/libstore/globals.hh | 2 +- src/libstore/local-store.cc | 4 ++-- src/nix/make-content-addressed.md | 2 +- src/nix/verify.cc | 2 +- tests/signing.sh | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index e9d721e59..fb8f810c2 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,7 +560,7 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a valid signature, that is, be signed using one of + cache) must have a trustworthy signature, that is, be signed using one of the keys listed in `trusted-public-keys` or `secret-key-files`. Set to `false` to disable signature checking. )"}; diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 37302d3a8..b64ae6080 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -751,7 +751,7 @@ void LocalStore::registerDrvOutput(const Realisation & info, CheckSigsFlag check if (checkSigs == NoCheckSigs || !realisationIsUntrusted(info)) registerDrvOutput(info); else - throw Error("cannot register realisation '%s' because it lacks a valid signature", info.outPath.to_string()); + throw Error("cannot register realisation '%s' because it lacks a trustworthy signature", info.outPath.to_string()); } void LocalStore::registerDrvOutput(const Realisation & info) @@ -1266,7 +1266,7 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source, RepairFlag repair, CheckSigsFlag checkSigs) { if (checkSigs && pathInfoIsUntrusted(info)) - throw Error("cannot add path '%s' because it lacks a valid signature", printStorePath(info.path)); + throw Error("cannot add path '%s' because it lacks a trustworthy signature", printStorePath(info.path)); addTempRoot(info.path); diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md index 215683e6d..b0685bb6c 100644 --- a/src/nix/make-content-addressed.md +++ b/src/nix/make-content-addressed.md @@ -22,7 +22,7 @@ R""( ```console # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello - cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a valid signature + cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a trustworthy signature ``` * Create a content-addressed representation of the current NixOS diff --git a/src/nix/verify.cc b/src/nix/verify.cc index e92df1303..6dc539e24 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has at least *n* valid signatures.", + .description = "Require that each path has at least *n* trustworthy signatures.", .labels = {"n"}, .handler = {&sigsNeeded} }); diff --git a/tests/signing.sh b/tests/signing.sh index 6aafbeb91..74f57966a 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -81,7 +81,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2) [[ $info =~ 'cache1.example.org' ]] [[ $info =~ 'cache2.example.org' ]] -# Copying to a diverted store should fail due to a lack of valid signatures. +# Copying to a diverted store should fail due to a lack of trustworthy signatures. chmod -R u+w $TEST_ROOT/store0 || true rm -rf $TEST_ROOT/store0 (! nix copy --to $TEST_ROOT/store0 $outPath) From a2a8cb10ac17e03691b9f73ae14e5b6edbe66f4e Mon Sep 17 00:00:00 2001 From: John Ericson Date: Thu, 22 Sep 2022 14:36:26 -0400 Subject: [PATCH 2/3] Dodge "trusted" vs "trustworthy" by being explicit Hopefully this is best! --- src/libstore/globals.hh | 12 +++++++++--- src/libstore/local-store.cc | 4 ++-- src/nix/make-content-addressed.md | 2 +- src/nix/verify.cc | 2 +- tests/signing.sh | 2 +- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index fb8f810c2..e2bb0ffc9 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,9 +560,15 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a trustworthy signature, that is, be signed using one of - the keys listed in `trusted-public-keys` or `secret-key-files`. Set - to `false` to disable signature checking. + cache) must have a signature by a key we trust. A trusted key is one + listed in `trusted-public-keys`, or a public key counterpart to a + private key stored in a file listed in `secret-key-files`. + + Set to `false` to disable signature checking and trust all + non-content-addressed paths unconditionally. + + (Content-addressed paths are inherently trustworthy and thus + unaffected by this configuration option.) )"}; Setting extraPlatforms{ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index b64ae6080..d374d4558 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -751,7 +751,7 @@ void LocalStore::registerDrvOutput(const Realisation & info, CheckSigsFlag check if (checkSigs == NoCheckSigs || !realisationIsUntrusted(info)) registerDrvOutput(info); else - throw Error("cannot register realisation '%s' because it lacks a trustworthy signature", info.outPath.to_string()); + throw Error("cannot register realisation '%s' because it lacks a signature by a trusted key", info.outPath.to_string()); } void LocalStore::registerDrvOutput(const Realisation & info) @@ -1266,7 +1266,7 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source, RepairFlag repair, CheckSigsFlag checkSigs) { if (checkSigs && pathInfoIsUntrusted(info)) - throw Error("cannot add path '%s' because it lacks a trustworthy signature", printStorePath(info.path)); + throw Error("cannot add path '%s' because it lacks a signature by a trusted key", printStorePath(info.path)); addTempRoot(info.path); diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md index b0685bb6c..32eecc880 100644 --- a/src/nix/make-content-addressed.md +++ b/src/nix/make-content-addressed.md @@ -22,7 +22,7 @@ R""( ```console # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello - cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a trustworthy signature + cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a signature by a trusted key ``` * Create a content-addressed representation of the current NixOS diff --git a/src/nix/verify.cc b/src/nix/verify.cc index 6dc539e24..1ddedd320 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has at least *n* trustworthy signatures.", + .description = "Require that each path has is signed by *n* different keys.", .labels = {"n"}, .handler = {&sigsNeeded} }); diff --git a/tests/signing.sh b/tests/signing.sh index 74f57966a..9b673c609 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -81,7 +81,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2) [[ $info =~ 'cache1.example.org' ]] [[ $info =~ 'cache2.example.org' ]] -# Copying to a diverted store should fail due to a lack of trustworthy signatures. +# Copying to a diverted store should fail due to a lack of signatures by trusted keys. chmod -R u+w $TEST_ROOT/store0 || true rm -rf $TEST_ROOT/store0 (! nix copy --to $TEST_ROOT/store0 $outPath) From 60e23c8baeb0e28ec163676b4fd4a24c40d89fe9 Mon Sep 17 00:00:00 2001 From: John Ericson Date: Fri, 23 Sep 2022 13:57:57 -0400 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Valentin Gagarin Co-authored-by: Rune K. Svendsen --- src/libstore/globals.hh | 2 +- src/nix/verify.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index e2bb0ffc9..75927d395 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,7 +560,7 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a signature by a key we trust. A trusted key is one + cache) must have a signature by a trusted key. A trusted key is one listed in `trusted-public-keys`, or a public key counterpart to a private key stored in a file listed in `secret-key-files`. diff --git a/src/nix/verify.cc b/src/nix/verify.cc index 1ddedd320..efa2434dc 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has is signed by *n* different keys.", + .description = "Require that each path is signed by at least *n* different keys.", .labels = {"n"}, .handler = {&sigsNeeded} });