| 1 |
On Mon, Nov 19, 2018 at 2:40 PM Zac Medico <zmedico@g.o> wrote: |
| 2 |
> |
| 3 |
> On 11/19/18 11:33 AM, Rich Freeman wrote: |
| 4 |
> > On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford <neddyseagoon@g.o> wrote: |
| 5 |
> >> |
| 6 |
> >> "The archive members support optional OpenPGP signatures. |
| 7 |
> >> The implementations must allow the user to specify whether OpenPGP |
| 8 |
> >> signatures are to be expected in remotely fetched packages." |
| 9 |
> >> |
| 10 |
> >> Or can the user specify that only some elements need to be signed? |
| 11 |
> >> |
| 12 |
> >> Is it a problem if not all elements are signed with the same key? |
| 13 |
> >> That could happen if one person makes a binpackage and someone |
| 14 |
> >> else updates the metadata. |
| 15 |
> >> |
| 16 |
> > |
| 17 |
> > IMO this is going a bit into PM details for a GLEP that is about |
| 18 |
> > container formats. |
| 19 |
> > |
| 20 |
> > Presumably any package manager is going to need to figure out what |
| 21 |
> > keys are/aren't valid and allow the user to configure this behavior. |
| 22 |
> > Users who want to go editing package innards will presumably adjust |
| 23 |
> > their package manager settings to accept their modifications, whether |
| 24 |
> > it means accepting their own sigs or disabling them. |
| 25 |
> |
| 26 |
> With the GLEP as it is, the user *must* use a local signing key to sign |
| 27 |
> installed packages during the installation process if they want to be |
| 28 |
> able to verify signatures for installed packages at some point in the |
| 29 |
> future, since the binary package format does not provide a way to use |
| 30 |
> binary package signatures for this purpose. |
| 31 |
|
| 32 |
I think we might be talking about different signatures? |
| 33 |
|
| 34 |
I think you're referring to signatures of the package files after they |
| 35 |
are installed on the local filesystem, while I'm talking about |
| 36 |
verifying the integrity of the package file themselves. |
| 37 |
|
| 38 |
If these signatures are applied to different data then obviously you |
| 39 |
couldn't just have the one signature serve double duty (unless you |
| 40 |
hung onto the binary package, verified the signature on it, then |
| 41 |
verified the package contents against the live filesystem). |
| 42 |
|
| 43 |
The simplest solution would be to do as you seem to be suggesting - |
| 44 |
verify the signature on the package before installing it, and then |
| 45 |
during installation capture whatever metadata is already supported by |
| 46 |
portage and sign that using a user's trusted key. |
| 47 |
|
| 48 |
This seems like the most practical solution in any case since we |
| 49 |
aren't likely to ever go down the route of using a single signed |
| 50 |
squashfs for /usr like a release-based binary distro might. |
| 51 |
|
| 52 |
-- |
| 53 |
Rich |
Archives