tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: officially signed packages

On Apr 7, 2014, at 14:38 , Joerg Sonnenberger 
<> wrote:
> On Mon, Apr 07, 2014 at 01:36:10PM +0200, Jan Danielsson wrote:
>>   I used to (very) strongly prefer PGP over X.509, nowadays I see them
>> as being equally useful, but in different situations.  In the case of
>> signing packages, X.509 PKI is well-suited because TNF is a perfect type
>> of entity to be a CA.  That being said, the X.509 tools out there are
>> user-hostile, counter-intuitive, ugly, annoying, and down-right bad[*].
>> So while conceptually I'm all for TNF becoming a CA, the lack of
>> non-user-hostile tools makes me feel that the PGP route is better in the
>> end. long as we have netpgp(verify).
> While I mostly agree about the hostility of tools like openssl(1), I
> don't think it applies overly much in this context. The use model I had
> in mind when creating the x509 support was:
> (1) The person responsible for the a bulk build creates a CA
> certificate.
> (2) An intermediate key with a short valid time (3 month?) is used to
> sign the packages.

Why that short time? 
Perhaps I want/need to install packages from the previous pkgsrc release, and 
then the signatures aren't valid anymore...
Wouldn't it be safer to have at least 6 month validity, as the quarterly builds 
tends to stay online longer than 3 months sharp.
(And once those are gone, it doesn't matter if the signature is valid a few 
more day… the other way around will cause more confusion/irritation if packages 
are online, but won't install because non-valid signatures…)

btw. what happens if I try to install a package with a non-valid signature?
Will I be refused? Will I be prompted that the signature has expire or is 
invalid, but I could override & continue anyway?

> (3) The CA certficate is published in the same location as the packages.
> Either a signature from a TNF "master" certificate or a PGP/GPG signature is
> used to anchor the trust.
> For the user this means doing the trust verification once -- either for
> the TNF "master" CA or the bulk builder certificate. This can happen
> using the normal PGP/GPG tools, netpgpverify or whatever. Afterwards,
> she doesn't have to care about the mechanism used.

Sounds good.

> For the bulk builder this means (a) setting up the personal CA (b)
> creating the signing key on a regular base. You can find a script for
> doing that with two calls. Look at pkgsrc/pkg_install/files/x509. Might
> need some more polishing, but I don't think there is much complexity
> involved.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Home | Main Index | Thread Index | Old Index