search

emacscollective / borg

Assimilate Emacs packages as Git submodules
https://emacsmirror.net/manual/borg
GNU General Public License v3.0
259 stars 28 forks source link

Verify packages PGP signatures #17

Closed thblt closed 6 years ago

thblt commented 7 years ago

It would be nice if Borg did verify PGP signatures before building/activating a drone. I've included such a feature in a little UI frontend for Borg I've been working on as an Elisp exercise, but I think it could take place in the core instead. I imagine it working this way:

  1. borg-assimilate would verify if the package is signed after cloning. If it is not, but if the most recent tag on default branch is, it would offer to checkout this tag instead of HEAD.

    If the git object (tag or commit) is signed with a missing signature, Borg may offer to download the public key.

    If a valid signature is found, Borg could offer to add a submodules.DRONE.signingkey field with the identifier of the signing key.

    If no signature can be verified, it would ask the user whether they still want to activate the package, and offer the choice to remove it instead.

  2. borg-clone would do the same, but won't offer to modify .gitmodules.

  3. A new function borg-upgrade or borg-switch-version would be added, which would prompt the user for a commit or a tag, checkout it, and verify signature (using submodules.DRONE.signingkey) before building.

  4. A new variable, borg-always-valid-keys would be introduced, which would store a list of GnuPG key identifiers to consider valid for all packages. This would typically store the ID of the user's own key.

  5. Optional: A new variable borg-verify-signatures-on-initialization could be introduced, defaulted to nil. If non-nil, borg-initialize would only activate packages with a valid signature and a clean working-tree. (This is a kind of "paranoia" mode.)

If you're interested to have such a feature on Borg, I'd like to work on it.

Thanks for reading this!

tarsius commented 7 years ago

It's pretty exiting that borg now has an extension. Not too long ago it didn't even have more than a handful of users. :wink:

tarsius commented 7 years ago

I am a little busy getting Magit, borg, epkg, closql, and emir releases ready, so I will comment later.

tarsius commented 7 years ago

Just a quick note for those following links :wink:

As a security measure I have already added a command that only clones a package without also installing to allow reviewing a package before any of it is executed. Additionally I plan to show a warning when a user attempts to install an unsafe package and add an option to epkg to hide all Emacswiki packages.

thblt commented 7 years ago

Hi Jonas, just a friendly remember this issue is still waiting for your feedback :) There's no hurry since I'm still really busy (too, I guess), but knowing what you think would help me get started whenever I can. Thanks!

thblt commented 6 years ago

I guess you're busy, I think I'll just start working on this and send a PR when I've got something done, it will probably be easier to discuss code than ideas :-)

tarsius commented 6 years ago

I guess you're busy,

I found some time to work on borg today, but...

I think I'll just start working on this

...please do that.

tarsius commented 6 years ago

A new function borg-upgrade or borg-switch-version would be added, which would prompt the user for a commit or a tag, checkout it, and verify signature (using submodules.DRONE.signingkey) before building.

Your proposal seems to be centered around this idea. I don't really want to go down that road because I want to keep using Magit directly to do those things. (And then call borg-build to handle the one part it does not handle. Though in practice I usually skip that too and rely on auto-compile to rebuild the next time I start Emacs.)

So I think it would be better to build the core functionality first - providing some way to verify signatures and warn about missing/bad signatures. And much of that should probably be implemented in Magit, not Borg. Magit already does support signature verification to some extend, but that could certainly be improved. The list of submodules for example for example could display the signature status for the checked out tips.

While I agree that Borg should allow users to verify the integrity of packages more easily and (optionally) even warn them when departing from the safe path, I don't know how to do it. You have proposed one approach, which I have some doubts about. But that should not keep you from implementing it if you care enough about it. Maybe I will change my mind once I see the implementation. I would however recommend that you make use of hooks (including hooks you have to implement first). That way you could provide this functionality even if end up not merging into Borg (except for the necessary hooks).

tarsius commented 6 years ago

Like https://github.com/magit/magit/pull/3451 I am closing this too. I assume that once you have finished that you will start working on this again too, at which point I would be happy to reopen this.