From owner-cvs-all Wed Feb 7 0:46:39 2001 Delivered-To: cvs-all@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1888337B65D; Wed, 7 Feb 2001 00:46:05 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14QQNk-0000Hj-00; Wed, 07 Feb 2001 01:55:20 -0700 Message-ID: <3A810D78.6669D9D2@softweyr.com> Date: Wed, 07 Feb 2001 01:55:20 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Jeremy Lea Cc: Wes Peters , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/pkg_install/sign Makefile README check.c common.c extern.h gzip.c gzip.h main.c pgp.h pgp_check.c pgp_sign.c pkg_sign.1 sha1.c sign.c stand.c stand.h x509.c References: <200102060646.f166kgf65013@freefall.freebsd.org> <20010206022059.G8780@shale.csir.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeremy Lea wrote: > > Hi, > > On Mon, Feb 05, 2001 at 10:46:42PM -0800, Wes Peters wrote: > > Add package signing utilities; somebody might actually want them. > > These are not enabled in the pkg_install Makefile as of yet; > > adding the "sign" directory to the SUBDIR list will enable > > building of sign. > > I've been giving this problem some thought, and I think that this is > implemented in the wrong place: In pkg_add we don't see the gzip'ed > tarball - it's piped directly into tar. Also, if we change the > packaging format, we have to change the means of signing. Yes, but on the other hand, it works now. In pkg_add, there is some finite point in time at which you have all the bits available and haven't yet started stuffing files onto the system; this is the ideal point in time to check a signature and abort the installation. All we have to do is identify that spot in the code and arrange to check the signature in a way to that doesn't muck up the rest of the code any more than necessary, right? > We have a packaging list, which contains MD5 checksums for all of our > files (well not all in the current version, but all in my development > version). The packaging list is not self referenced in the packaging > list - since all packages must have one. Thus the packing list by its > self is a certificate for the rest of the package - and we can use a > standard text based signature, attached to the packaging list, as a > verification of the entire package. This could be included as a > seperate file (which would not be listed in the packaging list, or as a > @comment at the end of the list. > > This way we would not have to play special tricks with the tarballs. I like the idea of storing the signature in the actual tar data, rather than the gzip header, because it makes it independent of the compression format. Keep in mind that an X.509 certificate can be bigger than a filename size, I'm not sure how the @comment is actually represented in the tarball. The cpio format is actually somewhat more flexbile for these kinds of shenanigans. > We will still need a key management protocol for the package tools > though. I'll take a look at this code and see what I can merge in with > my development version of the pkg_* tools. X.509 certificates are really quite an impressive technology, and OpenSSL implements the required bits quite nicely. Since OpenSSL allows you to easily represent a "stack of certificates" or "stack of keys" in an ASCII or binary data file, it is quite easy to check a certificate against a set of keys; allowing the addition of packages that add keys to the keyring. I'm sorry I haven't been more responsive, I'm interested in working with you to flesh this out for the next step in the package tools. Do you have some code or a design document I can look at? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message