Date: Wed, 07 Feb 2001 01:55:20 -0700 From: Wes Peters <wes@softweyr.com> To: Jeremy Lea <reg@FreeBSD.org> Cc: Wes Peters <wes@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/pkg_install/sign Makefile README check.c common.c extern.h gzip.c gzip.h main.c pgp.h pgp_check.c pgp_sign.c pkg_sign.1 sha1.c sign.c stand.c stand.h x509.c Message-ID: <3A810D78.6669D9D2@softweyr.com> References: <200102060646.f166kgf65013@freefall.freebsd.org> <20010206022059.G8780@shale.csir.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Lea wrote:
>
> Hi,
>
> On Mon, Feb 05, 2001 at 10:46:42PM -0800, Wes Peters wrote:
> > Add package signing utilities; somebody might actually want them.
> > These are not enabled in the pkg_install Makefile as of yet;
> > adding the "sign" directory to the SUBDIR list will enable
> > building of sign.
>
> I've been giving this problem some thought, and I think that this is
> implemented in the wrong place: In pkg_add we don't see the gzip'ed
> tarball - it's piped directly into tar. Also, if we change the
> packaging format, we have to change the means of signing.
Yes, but on the other hand, it works now. In pkg_add, there is some
finite point in time at which you have all the bits available and haven't
yet started stuffing files onto the system; this is the ideal point in
time to check a signature and abort the installation. All we have to
do is identify that spot in the code and arrange to check the signature
in a way to that doesn't muck up the rest of the code any more than
necessary, right?
> We have a packaging list, which contains MD5 checksums for all of our
> files (well not all in the current version, but all in my development
> version). The packaging list is not self referenced in the packaging
> list - since all packages must have one. Thus the packing list by its
> self is a certificate for the rest of the package - and we can use a
> standard text based signature, attached to the packaging list, as a
> verification of the entire package. This could be included as a
> seperate file (which would not be listed in the packaging list, or as a
> @comment at the end of the list.
>
> This way we would not have to play special tricks with the tarballs.
I like the idea of storing the signature in the actual tar data, rather
than the gzip header, because it makes it independent of the compression
format. Keep in mind that an X.509 certificate can be bigger than a
filename size, I'm not sure how the @comment is actually represented in
the tarball. The cpio format is actually somewhat more flexbile for
these kinds of shenanigans.
> We will still need a key management protocol for the package tools
> though. I'll take a look at this code and see what I can merge in with
> my development version of the pkg_* tools.
X.509 certificates are really quite an impressive technology, and OpenSSL
implements the required bits quite nicely. Since OpenSSL allows you to
easily represent a "stack of certificates" or "stack of keys" in an
ASCII or binary data file, it is quite easy to check a certificate against
a set of keys; allowing the addition of packages that add keys to the
keyring.
I'm sorry I haven't been more responsive, I'm interested in working with
you to flesh this out for the next step in the package tools. Do you have
some code or a design document I can look at?
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A810D78.6669D9D2>