hannes.robur.coop/Posts/Conex

---
title: Conex, establish trust in community repositories
author: hannes
tags: package signing, security, overview
abstract: Conex is a library to verify and attest package release integrity and authenticity through the use of cryptographic signatures.
---

Less than two years after the initial proposal, we're happy to present conex
0.9.2.  Pleas note that this is still work in progress, to be deployed with opam
2.0 and the [opam repository](https://github.com/ocaml/opam-repository).

![screenshot](/static/img/conex.png)

[Conex](https://github.com/hannesm/conex) is a library to verify and attest release integrity and
authenticity of a community repository through the use of cryptographic signatures.

Packages are collected in a community repository to provide an index and
allowing cross-references.  Authors submit their packages to the repository. which
is curated by a team of janitors.  Information
about a package stored in a repository includes: license, author, releases,
their dependencies, build instructions, url, tarball checksum.  When someone
publishes a new package, the janitors integrate it into the repository, if it
compiles and passes some validity checks.  For example, its name must not be misleading,
nor may it be too general.

Janitors keep an eye on the repository and fix emergent failures.  A new
compiler release, or a release of a package on which other packages depend, might break the compilation of
a package.  Janitors usually fix these problems by adding a patch to the build script, or introducing
a version constraint in the repository.

*Conex* ensures that every release of each package has been approved by its author or a quorum of janitors.
A conex-aware client initially verifies the repository using janitor key fingerprints as anchor.
Afterwards, the on-disk repository is trusted, and every update is verified (as a patch) individually.
This incremental verification is accomplished by ensuring all resources
that the patch modifies result in a valid repository with
sufficient approvals.  Additionally, monotonicity is preserved by
embedding counters in each resource, and enforcing a counter
increment after modification.
This mechanism avoids rollback attacks, when an
attacker presents you an old version of the repository.

A timestamping service (NYI) will periodically approve a global view of the
verified repository, together with a timestamp.  This is then used by the client
to prevent mix-and-match attacks, where an attacker mixes some old packages and
some new ones.  Also, the client is able to detect freeze attacks, since at
least every day there should be a new signature done by the timestamping service.

The trust is rooted in digital signatures by package authors.  The server which
hosts the repository does not need to be trusted.  Neither does the host serving
release tarballs.

If a single janitor would be powerful enough to approve a key for any author,
compromising one janitor would be sufficient to enroll any new identities,
modify dependencies, build scripts, etc.  In conex, a quorum of janitors (let's
say 3) have to approve such changes.  This is different from current workflows,
where a single janitor with access to the repository can merge fixes.

Conex adds metadata, in form of resources, to the repository to ensure integrity and
authenticity.  There are different kinds of resources:

- *Authors*, consisting of a unique identifier, public key(s), accounts.
- *Teams*, sharing the same namespace as authors, containing a set of members.
- *Authorisation*, one for each package, describing which identities are authorised for the package.
- *Package index*, for each package, listing all releases.
- *Release*, for each release, listing checksums of all data files.

Modifications to identities and authorisations need to be approved by a quorum
of janitors, package index and release files can be modified either by an authorised
id or by a quorum of janitors.

## Documentation

[API documentation](https://hannesm.github.io/conex/doc/) is
available online, also a [coverage
report](https://hannesm.github.io/conex/coverage/).

We presented an [abstract at OCaml
2016](https://github.com/hannesm/conex-paper/raw/master/paper.pdf) about an
earlier design.

Another article on an [earlier design (from
2015)](http://opam.ocaml.org/blog/Signing-the-opam-repository/) is also
available.

Conex is inspired by [the update
framework](https://theupdateframework.github.io/), especially on their [CCS 2010
paper](https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf), and
adapted to the opam repository.

The [TUF
spec](https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt)
has a good overview of attacks and threat model, both of which are shared by conex.

## What's missing

- See [issue 7](https://github.com/hannesm/conex/issues/7) for a laundry list
- Timestamping service
- Key revocation and rollover
- Tool to approve a PR (for janitors)
- Camelus like opam-repository check bot
- Integration into release management systems

## Getting started

At the moment, our [opam repository](https://github.com/ocaml/opam-repository)
does not include any metadata needed for signing.  We're in a bootstrap phase:
we need you to generate a keypair, claim your packages, and approve your releases.

We cannot verify the main opam repository yet, but opam2 has support for a
[`repository validation command`](http://opam.ocaml.org/doc/2.0/Manual.html#configfield-repository-validation-command),
builtin, which should then call out to `conex_verify` (there is a `--nostrict`
flag for the impatient).  There is also an [example repository](https://github.com/hannesm/testrepo) which uses the opam validation command.

To reduce the manual work, we analysed 7000 PRs of the opam repository within
the last 4.5 years (more details [here](https://hannes.nqsb.io/Posts/Maintainers).
This resulted in an educated guess who are the people
modifying each package, which we use as a basis whom to authorise for
which packages.  Please check with `conex_author status` below whether your team
membership and authorised packages were inferred correctly.

Each individual author - you - need to generate their private key, submit
their public key and starts approving releases (and old ones after careful
checking that the build script, patches, and tarball checksum are valid).
Each resource can be approved in multiple versions at the same time.

### Installation

TODO: remove clone once [PR 8494](https://github.com/ocaml/opam-repository/pull/8494) is merged.

```bash
$ git clone -b auth https://github.com/hannesm/opam-repository.git repo
$ opam install conex
$ cd repo
```

This will install conex, namely command line utilities, `conex_author` and
`conex_verify_nocrypto`/`conex_verify_openssl`.  All files read and written by conex are in the usual
opam file format.  This means can always manually modify them (but be careful,
modifications need to increment counters, add checksums, and be signed).  Conex
does not deal with git, you have to manually `git add` files and open pull
requests.

### Author enrollment

For the opam repository, we will use GitHub ids as conex ids.  Thus, your conex
id and your GitHub id should match up.

```bash
repo$ conex_author init --repo ~/repo --id hannesm
Created keypair hannesm.  Join teams, claim your packages, sign your approved resources and open a PR :)
```

This attempts to parse `~/repo/id/hannesm`, errors if it is a team or an author
with a publickey.  Otherwise it generates a keypair, writes the private part as
`home.hannes.repo.hannesm.private` (the absolute path separated by dots,
followed by your id, and `private` - if you move your repository, rename your
private key) into `~/.conex/`, the checksums of the public part and your
accounts into `~/repo/id/hannesm`.  See `conex_author help init` for more
options (esp. additional verbosity `-v` can be helpful).

```bash
repo$ git status -s
 M id/hannesm

repo$ git diff //abbreviated output
-  ["counter" 0x0]
+  ["counter" 0x1]

-  ["resources" []]
+  [
+    "resources"
+    [
+      [
+        ["typ" "key"]
+        ["name" "hannesm"]
+        ["index" 0x1]
+        ["digest" ["SHA256" "ht9ztjjDwWwD/id6LSVi7nKqVyCHQuQu9ORpr8Zo2aY="]]
+      ]
+      [
+        ["typ" "account"]
+        ["name" "hannesm"]
+        ["index" 0x2]
+        ["digest" ["SHA256" "aCsktJ5M9PI6T+m1NIQtuIFYILFkqoHKwBxwvuzpuzg="]]
+      ]
+
+keys: [
+  [
+    [
+      "RSA"
+      """
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyUhArwt4XcxLanARyH9S
...
+9KQdg6QnLsQh/j74QKLOZacCAwEAAQ==
+-----END PUBLIC KEY-----"""
+      0x58A3419F
+    ]
+    [
+      0x58A79A1D
+      "RSA-PSS-SHA256"
+      "HqqicsDx4hG9pFM5E7"
+    ]
+  ]
+]
```

### Status

If you have a single identity and contribute to a single signed opam repository,
you don't need to specify `--id` or `--repo` from now on.

The `status` subcommand presents an author-specific view on the repository.  It
lists the own public keys, team membership, queued resources, and authorised
packages.

The opam repository is in a transitionary state, we explicitly pass `--quorum
0`, which means that every checksum is valid (approved by a quorum of 0
janitors).

```bash
repo$ conex_author status --quorum 0 arp
author hannesm #1 (created 0) verified 3 resources, 0 queued
4096 bit RSA key created 1487094175 approved, SHA256: ht9ztjjDwWwD/id6LSVi7nKqVyCHQuQu9ORpr8Zo2aY=
account GitHub hannesm approved
account email hannes@mehnert.org approved
package arp authorisation approved
conex_author: [ERROR] package index arp was not found in repository
```

This shows your key material and accounts, team membership and packages you are
authorised to modify (inferred as described
[here](https://hannes.nqsb.io/Posts/Maintainers).

The `--noteam` argument limits the package list to only these you are personally
authorised for.  The `--id` argument presents you with a view of another author,
or from a team perspective.  The positional argument is a prefix matching on
package names (leave empty for all).

### Resource approval

Each resource needs to be approved individually.  Each author has a local queue
for to-be-signed resources, which is extended with `authorisation`, `init`,
`key`, `release`, and `team` (all have a `--dry-run` flag).  The queue can be
dropped using `conex_author reset`.  Below shown is `conex_author sign`, which
let's you interactively approve queued resources and cryptopgraphically signs
your approved resources afterwards.

The output of `conex_author status` listed an authorisation for `conf-gsl`,
which I don't feel responsible for.  Let's drop my privileges:

```bash
repo$ conex_author authorisation conf-gsl --remove -m hannesm
modified authorisation and added resource to your queue.
```

I checked my arp release careful (checksums of tarballs are correct, opam files
do not execute arbitrary shell code, etc.), and approve this package and its
single release:

```bash
repo$ conex_author release arp
conex_author.native: [WARNING] package index arp was not found in repository
conex_author.native: [WARNING] release arp.0.1.1 was not found in repository
wrote release and added resources to your queue.
```

Once finished with joining and leaving teams (using the `team` subcommand),
claiming packages (using the `authorisation` subcommand), and approve releases
(using the `release` subcommand), you have to cryprographically sign your queued
resource modifications:

```bash
repo$ conex_author sign
release arp.0.1.1 #1 (created 1487269425)
[descr: SHA256: aCsNvcj3cBKO0GESWG4r3AzoUEnI0pHGSyEDYNPouoE=;
opam: SHA256: nqy6lD1UP+kXj3+oPXLt2VMUIENEuHMVlVaG2V4z3p0=;
url: SHA256: FaUPievda6cEMjNkWdi0kGVK7t6EpWGfQ4q2NTSTcy0=]
approved (yes/No)?
package arp #1 (created 1487269425) [arp.0.1.1]
approved (yes/No)?y
authorisation conf-gsl #1 (created 0) empty
approved (yes/No)?y
wrote hannesm to disk

repo$ conex_author status --quorum 0 arp
author hannesm #1 (created 0) verified 7 resources, 0 queued
4096 bit RSA key created 1487094175 approved, SHA256: ht9ztjjDwWwD/id6LSVi7nKqVyCHQuQu9ORpr8Zo2aY=
account GitHub hannesm approved
account email hannes@mehnert.org approved
package arp authorisation approved package index approved
release arp.0.1.1: approved
```

If you now modify anything in `packages/arp` (add subdirectories, modify opam,
etc.), this will not be automatically approved (see below for how to do this).

You manually need to `git add` some created files.

```bash
repo$ git status -s
 M id/hannesm
 M packages/conf-gsl/authorisation
?? packages/arp/arp.0.1.1/release
?? packages/arp/package

repo$ git add packages/arp/arp.0.1.1/release packages/arp/package
repo$ git commit -m "hannesm key enrollment and some fixes" id packages
```

Now push this to your fork, and open a PR on opam-repository!

### Editing a package

If you need to modify a released package, you modify the opam file (as before,
e.g. introducing a conflict with a dependency), and then approve the
modifications.  After your local modifications, `conex_author status` will
complain:

```bash
repo$ conex_author status arp --quorum 0
package arp authorisation approved package index approved
release arp.0.1.1: checksums for arp.0.1.1 differ, missing on disk: empty, missing in checksums file: empty, checksums differ: [have opam: SHA256: QSGUU9HdPOrwoRs6XJka4cZpd8h+8NN1Auu5IMN8ew4= want opam: SHA256: nqy6lD1UP+kXj3+oPXLt2VMUIENEuHMVlVaG2V4z3p0=]

repo$ conex_author release arp.0.1.1
released and added resources to your resource list.

repo$ conex_author sign
release arp.0.1.1 #1 (created 1487269943)
[descr: SHA256: aCsNvcj3cBKO0GESWG4r3AzoUEnI0pHGSyEDYNPouoE=;
opam: SHA256: QSGUU9HdPOrwoRs6XJka4cZpd8h+8NN1Auu5IMN8ew4=;
url: SHA256: FaUPievda6cEMjNkWdi0kGVK7t6EpWGfQ4q2NTSTcy0=]
approved (yes/No)? y
wrote hannesm to disk
```

The `release` subcommand recomputed the checksums, incremented the counter, and
added it to your queue.  The `sign` command signed the approved resource.

```bash
repo$ git status -s
 M id/hannesm
 M packages/arp/arp.0.1.1/opam
 M packages/arp/arp.0.1.1/package

repo$ git commit -m "fixed broken arp package" id packages
```

### Janitor tools

Janitors need to approve teams, keys, accounts, and authorisations.

To approve resources which are already in the repository on disk,
the `key` subcommand queues approval of keys and accounts of the provided author:

```bash
repo$ conex_author key avsm
added keys and accounts to your resource list.
```

The `authorisation` subcommand, and `team` subcommand behave similarly for
authorisations and teams.

Bulk operations are supported as well:

```bash
conex_author authorisation all
```

This will approve all authorisations of the repository which are not yet
approved by you.  Similar for the `key` and `team` subcommands, which also
accept `all`.

Don't forget to `conex_author sign` afterwards (or `yes | conex_author sign`).

### Verification

The two command line utlities, `conex_verify_openssl` and
`conex_verify_nocrypto` contain the same logic and same command line arguments.

For bootstrapping purposes (`nocrypto` is an opam package with dependencies),
`conex_verify_openssl` relies on the openssl command line tool (version 1.0.0
and above) for digest computation and verification of the RSA-PSS signature.

The goal is to use the opam2 provided hooks, but before we have signatures we
cannot enable them.

See the [example repository](https://github.com/hannesm/testrepo) for initial
verification experiments, and opam2 integration.

I'm interested in feedback, please open an issue on the [conex
repository](https://github.com/hannesm/conex).  This article itself is stored as
Markdown [in a different repository](https://github.com/hannesm/hannes.nqsb.io).