Radicle is a peer-to-peer, local-first code collaboration stack built on Git.

The Radicle team are back sooner than later for this important release, Radicle 1.8.0, code name Drosera. Radicle 1.7.0 included a security fix, and the team worked hard since that release to provide improved security on top of this.

Our post “Disclosure of Vulnerability in Signed References” provides more context on the features listed below.

Signed References Feature Levels

Feature Level Detection

Radicle’s Signed References now detect which feature level they have been upgraded to. This feature level is monotonically increasing starting from none. The none feature level means that the refs and signature blobs are present, but the refs do not contain refs/rad/root nor refs/rad/sigrefs-parent. This still implies that the signature in refs must verify against the public key of the namespace. The next level increases by including refs/rad/root, and the feature level is known as root. Once again, since these are monotonically increasing, root implies none. The latest feature level is parent, which implies root, and means that refs/rad/sigrefs-parent is included.

Feature Level Downgrade Detection

Since feature levels are monotonically increasing, this allows us to detect when downgrade attacks are attempted. When the head commit of a signed references entry is at a parent feature level, then they are secure. However, if the current head is found to be root or none, then the rest of the commits are inspected to see if the head is a result of a downgrade.

Note that, in some cases, downgrades may have occurred due to moving between different versions of Radicle releases. In these cases, there are recovery mechanisms, since the user can always create a new signed references commit, and these upgrades can be fetched by other nodes.

Feature Level Migration

The detection of these feature level allows the node to detect when a migration is needed. Upon startup of the radicle-node, if any of the local user’s signed references are not at the parent feature level, a new signed references entry will be automatically created.

Feature Level Inspection

To help understand and debug a user’s signed references, the rad inspect --sigrefs command has learned to output the feature levels of the signed references entries. For example:

z6MkireRatUThvd3qzfKht1S44wpm4FEWSSa4PRMTSQZ3voM bf789d587a4f399b0580146cb06634d87188400c parent
z6MkkPvBfjP4bQmco5Dm7UGsX2ruDBieEHi8n9DVJWX5sTEz 7d1c1aa1816a3bb43b9667ec3d0ee7324b98cb3e parent
z6Mkf8A8EV6M8KjAFyjpvLexQMrixSmHu3hiP45qUMW6FoXE e1d57a292eba718b5bb192c5ba61c5b38ba07398 root
z6MkfXa53s1ZSFy8rktvyXt5ADCojnxvjAoQpzajaXyLqG5n 851d11cf8e6e208b96d72e71181700b822301a48 root
z6MkfgZKQgtWtgNsVizqWqFKf6ka7oo8vS8mppKDVhDM5YMm c5d091bb7d63f2dae517f78f77ae9e0a7e0607b4 none

The first column shows the Node Identifier, the second column shows the OID of the head of the respective refs/rad/sigrefs, and the third column shows the feature level detected.

Feature Level Option

Finally, the node configuration learned a new configuration option, under node.fetch.signedReferences.featureLevel.minimum. This prevents your node fetching namespaces that are at a feature level below the specified minimum. The current default is none, but as time goes on, and nodes upgrade, you should choose to update this minimum to parent. Once you have updated this minimum, it is still possible to perform a one-shot rad sync or rad clone with a lower minimum by using the --signed-refs-feature-level option.

Performance Impact of Signed References Verification

It is important to note that there will be a perceived performance impact on the verification of signed references. The performance degradation is due to the verification process having to walk the history of the commits. However, when signed references are on the parent feature level, this walk is unnecessary.

This is provides another reason for users to upgrade as soon as possible, so that fetches are fast again, as well as more secure.

Changelog

• edde15d9 Release 1.8.0 fintan.halpenny@gmail.com
• 263d04b5 schemars: Update to 0.7.0 fintan.halpenny@gmail.com
• 597b514d remote-helper: Update to 0.16.0 fintan.halpenny@gmail.com
• d685d6f9 cli: Update to 0.20.0 fintan.halpenny@gmail.com
• 78908682 node: Update to 0.19.0 fintan.halpenny@gmail.com
• 6e40a617 protocol: Update to 0.7.0 fintan.halpenny@gmail.com
• 5a2e7841 fetch: Update to 0.19.0 fintan.halpenny@gmail.com
• 9f91817d radicle: Update to 0.23.0 fintan.halpenny@gmail.com
• 46f4c0f3 protocol/service: Increase timeout for fetches lorenz.leutgeb@radicle.xyz
• e7467fb1 protocol: SignedRefs upgrades provide SyncedAt lorenz.leutgeb@radicle.xyz
• 6d771abf radicle/storage/refs: Remove RefAt::load lorenz.leutgeb@radicle.xyz
• ec36d1c3 radicle/sigrefs: Merge SignedRefs{,At} lorenz.leutgeb@radicle.xyz
• 07011233 radicle/sigrefs: Use SignedRefsAt everywhere lorenz.leutgeb@radicle.xyz
• d25fb7f6 radicle/sigrefs/git: Refactor Committer lorenz.leutgeb@radicle.xyz
• 5d583338 radicle/sigrefs/git: Use stable RAD_LOCAL_TIME lorenz.leutgeb@radicle.xyz
• 86cacfb8 radicle: Have migration repair downgrades lorenz.leutgeb@radicle.xyz
• 33db6637 radicle: Teach rad sync and rad clone to accept feature levels fintan.halpenny@gmail.com
• ef4ddf06 node: Remove radicle_fetch::Config from worker::Config fintan.halpenny@gmail.com
• 07f3d565 protocol: Allow configuration of radicle_fetch::Config fintan.halpenny@gmail.com
• 81ca4b9e fetch: Allow upgrading Signed References lorenz.leutgeb@radicle.xyz
• e245e311 fetch: Configure Minimum Feature Level lorenz.leutgeb@radicle.xyz
• 47063057 radicle/sigrefs: Automatically Migrate lorenz.leutgeb@radicle.xyz
• 8b166b23 fetch: Log on old sigrefs lorenz.leutgeb@radicle.xyz
• 7fb032da cli/inspect: Show feature level of sigrefs lorenz.leutgeb@radicle.xyz
• 404fe33a radicle/sigrefs: Remove MissingIdentity error lorenz.leutgeb@radicle.xyz
• 7f19044a radicle/sigrefs/write: Treat error to verify head lorenz.leutgeb@radicle.xyz
• 8bc3ffc0 radicle/sigrefs: Detect features when writing lorenz.leutgeb@radicle.xyz
• 372a7875 radicle/sigrefs: Implement feature detection lorenz.leutgeb@radicle.xyz
• 9a4539fe radicle/sigrefs: Find first non-replayed commit lorenz.leutgeb@radicle.xyz
• b5dc3486 node/wire: Remove FetchResult log lorenz.leutgeb@radicle.xyz
• 14493cbf core: Enable radicle-oid/qcheck lorenz.leutgeb@radicle.xyz
• 9fda8c6d radicle: Update to 0.22.1 fintan.halpenny@gmail.com

Checksums

c6cf18a44d64182270bfcfcb70a19bc1556e8627bcd6d3b6d373fe7e1c461cc2  radicle-1.8.0-x86_64-unknown-linux-musl.tar.xz
72ac7abde20eee1973bcdcd2d2022916fbb371fc3651ffba9166d15109923ace  radicle-1.8.0-aarch64-unknown-linux-musl.tar.xz
fe68c9a0e5bbceb3cc1c123e99ee2835673759c8acc33511ada995abd33d0abd  radicle-1.8.0-aarch64-apple-darwin.tar.xz
238d9df6204f0ea9e42c9fe508a848e18799abd660483add346908a5f2754826  radicle-1.8.0-x86_64-apple-darwin.tar.xz