asdf-install and GPG signatures
asdf-install is a very useful package manager for lisp code. like rubygems.
The idea is that you load up your lisp REPL, and then punch in
(asdf-install:install 'some-package) to install whatever lisp library you might want. It’s then fetched from the internet, compiled and loaded into your running lisp. peachy.
I’m not sure about the specifics, but I think asdf-install looks for the software you’re trying to find on cliki, which is a public lisp wiki to which anyone can edit, or upload files.
asdf-install is smart about this sort of thing though, it expects any software you download from the internet to have an accompanying signature file. This means the author of the software package needs to sign it with his or her private key and put the signature in the same place as the package. asdf-install will then check that:
a) you have that author’s public key
b) you trust the key comes from who it says it does
c) you have given asdf-install permission to install software from that author
This is all well and good. Except it’s a bit of a headache in practice, and if the user so chooses, asdf-install will allow you to bypass these security checks.
My goal for this post was to run through an install without ever using the dubious
0: [SKIP-GPG-CHECK] Don't check GPG signature for this package restart.
Before I get in too deep, these following 3 links were a tremendous help in figuring what the hell was going on. I love Common Lisp, but the learning curve is very, very steep. I’ve been struggling off and on with these issues for 3 years and these pages go into a bit more depth than I do here:
First thing I do is create my own public/private keypair:
and download and import the
cliki common-lisp.net developer keyring, which has the public keys of all developers publishing software on cliki:
wget http://common-lisp.net/keyring.asc gpg --import keyring.asc
Next, start up a fresh sbcl 1.0.30 image:
$ sbcl * (require 'asdf-install) * (asdf-install:install 'drakma)
and…we run into our first problem, GPG warns that
the key id 0x595FF045057958C6 (Dr. Edmund Weitz ) is not fully trusted. Simple enough to fix:
gpg --edit email@example.com > lsign > save
and…it blows up again, saying
Dr. Edmund Weitz (key id 595FF045057958C6) is not on your package supplier list. This time, the restart is fine, as asdf-install doesn’t recommend editing the package suppliers list by hand, so choose the
0: [ADD-KEY ] Add to package supplier list restart.
Next up, cl+ssl, a dependency of drakma, doesn’t have a signature file to be found. You can sneak a peak at the project’s releases here: http://common-lisp.net/project/cl-plus-ssl/download/ and see that although some of the older ones have signature files, there is, indeed, no signature for the latest release that asdf-install is trying to install. So download to your local machine, crack it open and take a quick look at the source, to be sure that it’s not malicious software. Then:
Except even though you are now installing from a local file and asdf-install won’t check for a signature, the installation blows up again, because it depends on the trivial-gray-streams package, which it tries to fetch from the internet and is also missing a signature file. In fact, trivial-gray streams can be downloaded from the same directory as cl+ssl, and you can see for yourself that trivial-gray-streams doesn’t have a signature file either. So we download, peek inside and repeat the local asdf-install for trivial-gray-streams, then cl+ssl:
(asdf-install:install "trivial-gray-streams.tar.gz") (asdf-install:install "cl+ssl.tar.gz")
This should result in stopping to alert you that the cffi and rt library authors are not trusted. Sign them with gpg, then hit the restarts to add them to the package suppliers list.
And things finally finish.
So that’s one kind of problem. Going through the process with cl-ppcre presents a somewhat different problem.
When checking the signature of cl-unicode, you get the error
No key found for key id 0x595FF045057958C6.
This is a misleading error message. We know it’s not true, since that’s Edi Weitz’s key and we’ve successfully installed software signed by him before. So, quit out of sbcl and let’s check that signature by hand:
wget http://weitz.de/files/cl-unicode.tar.gz wget http://weitz.de/files/cl-unicode.tar.gz.asc gpg cl-unicode.tar.gz.asc
and we see:
gpg: Signature made Wed 23 Jul 2008 05:28:42 PM CDT using DSA key ID 057958C6 gpg: BAD signature from "Dr. Edmund Weitz <firstname.lastname@example.org>"
Dun dun duunnn. Here’s an example of exactly why asdf-install does these security checks. The signature provided couldn’t have come from the file we were about to download, nevermind the fact that asdf-install does a terrible job of letting us know this.
However, I have trouble believing this is malicious code since it did come from Edi Weitz’s server (which could have been hacked). Since we’ve downloaded the tarball to check it’s signature anyway, we can take a look inside and see that it’s not terribly obviously malicious. So the source was probably modified and just wasn’t re-signed, so we go through the procedure to install from a local file.
So there you have a rather long-winded tour of just about everything that could go wrong when installing lisp code from wild west internet wikis. asdf-install needs some polish for sure and the packaging practices of the software on common-lisp.net is lacking. I hear clbuild is a good alternative, but I don’t know much about it. I’d like to look into it and try this same excercise with it and post back.