Nix run -- but check commit signatures beforehand?

Heya!

I’m running a server application via nix run git+ssh://myrepo. The git repo also acts as a build server.

I’m investigating if it’s possible to prevent tampering of my application by verifying the commit signatures before running the program.

Is there a decent way to do so with flakes/nix? Or an alternative approach that could be used?

If you don’t trust the build server, then you can’t trust any sort of verification on the build server. Right? So I don’t see verification of the code doing anything useful for you here.

I imagine at most you could verify that the nar hash of the build result hasn’t changed. And if that hash needs to change, you’d have to independently verify that change.

There is the (barely documented) verified-fetches experimental features, introduced in Commit Signature Verification by flandweber · Pull Request #8848 · NixOS/nix · GitHub.

In theory you can do something like nix run git+https://github.com/NixOS/nix?verifyCommit=1&publicKey=....

6 Likes

If you don’t trust the build server, then you can’t trust any sort of verification on the build server. Right? So I don’t see verification of the code doing anything useful for you here.

Well I trust the build server but I use gitolite for managing my git repo, and if a hacker would manage to get access to the git user through some exploit then they could theoretically tamper the git repository. If the application server verifies the builds before installing them, by verifying that all commits are signed by a trusted key, such tampering could be stopped even with repository access.

There is the (barely documented) verified-fetches experimental features, introduced in Commit Signature Verification by flandweber · Pull Request #8848 · NixOS/nix · GitHub .
In theory you can do something like nix run git+https://github.com/NixOS/nix?verifyCommit=1&publicKey=....

That’s exactly what I was looking for. I’ll give it a try, thanks! I had no idea you could pass parameters that way.

I gave this a spin now and the following command worked after I rebased all my commits so they were signed:

nix run --extra-experimental-features verified-fetches git+ssh://git@git.my.repo/repo?keytype=ssh-rsa&publicKey="ssh-rsa blahblahblah me@me"

However, it seems that if I want to support my team-mates keys then I need to send in an array of nix objects:

 publicKeys =  [{
          key = "<public key>";
          type = "<key type>"; # optional, default: "ssh-ed25519"
        }]

How would I pass that as a query parameter?