1 |
On Mon, Nov 19, 2018 at 2:40 PM Zac Medico <zmedico@g.o> wrote: |
2 |
> |
3 |
> On 11/19/18 11:33 AM, Rich Freeman wrote: |
4 |
> > On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford <neddyseagoon@g.o> wrote: |
5 |
> >> |
6 |
> >> "The archive members support optional OpenPGP signatures. |
7 |
> >> The implementations must allow the user to specify whether OpenPGP |
8 |
> >> signatures are to be expected in remotely fetched packages." |
9 |
> >> |
10 |
> >> Or can the user specify that only some elements need to be signed? |
11 |
> >> |
12 |
> >> Is it a problem if not all elements are signed with the same key? |
13 |
> >> That could happen if one person makes a binpackage and someone |
14 |
> >> else updates the metadata. |
15 |
> >> |
16 |
> > |
17 |
> > IMO this is going a bit into PM details for a GLEP that is about |
18 |
> > container formats. |
19 |
> > |
20 |
> > Presumably any package manager is going to need to figure out what |
21 |
> > keys are/aren't valid and allow the user to configure this behavior. |
22 |
> > Users who want to go editing package innards will presumably adjust |
23 |
> > their package manager settings to accept their modifications, whether |
24 |
> > it means accepting their own sigs or disabling them. |
25 |
> |
26 |
> With the GLEP as it is, the user *must* use a local signing key to sign |
27 |
> installed packages during the installation process if they want to be |
28 |
> able to verify signatures for installed packages at some point in the |
29 |
> future, since the binary package format does not provide a way to use |
30 |
> binary package signatures for this purpose. |
31 |
|
32 |
I think we might be talking about different signatures? |
33 |
|
34 |
I think you're referring to signatures of the package files after they |
35 |
are installed on the local filesystem, while I'm talking about |
36 |
verifying the integrity of the package file themselves. |
37 |
|
38 |
If these signatures are applied to different data then obviously you |
39 |
couldn't just have the one signature serve double duty (unless you |
40 |
hung onto the binary package, verified the signature on it, then |
41 |
verified the package contents against the live filesystem). |
42 |
|
43 |
The simplest solution would be to do as you seem to be suggesting - |
44 |
verify the signature on the package before installing it, and then |
45 |
during installation capture whatever metadata is already supported by |
46 |
portage and sign that using a user's trusted key. |
47 |
|
48 |
This seems like the most practical solution in any case since we |
49 |
aren't likely to ever go down the route of using a single signed |
50 |
squashfs for /usr like a release-based binary distro might. |
51 |
|
52 |
-- |
53 |
Rich |