On Thu, May 13, 2004 at 11:25:08AM -0400, Thor Lancelot Simon wrote:
> On Thu, May 13, 2004 at 02:41:45PM +0100, Alistair Crooks wrote:
> > 
> > However, we need the functionality that gpg provides.  I keep being
> 
> I don't agree.  We need _a very small part_ of the functionality that
> gpg provides, that of RSA signing and signature checking.  The rest
> of it, we don't need; it's either candy, or it's intended for a purpose
> that's not ours.
> 
> For example, in the extensive list of gpg command-line invocations
> for which you asked for equivalents, quite a few of them are
> associated with web-of-trust management.  But (for this purpose)
> we don't have a web of trust; we have a trust hierarchy.  This
> means that a huge amount of the functionality in GPG is superfluous,
> whatever one thinks of how it's implemented.

Right, there are two separate uses for the gpg functionality,

(1) signing and verification of digital signatures, and
(2) web-of-trust style of key "knowledge"

I would prefer it if we could have both, but I will settle for (1)
now, and (2) to be implemented and deployed in the future.

One of the drivers for this is that I would like 2.0 to ship with some
digital signatures attached.  Another is that we have had digital
signature enablement in pkg_add(1) for two and a half years, via a
callout to pgp or gpg, and it would be nice to bring that into a
library that pkg_install and other tools can use.  I am also scheduled
to speak at UseBSD (the BSD special interest day of Usenix) on the
NetBSD update system, which uses digital signatures to verify the
provenance of binary packages.
 
> I could give you the openssl command-line syntax for the actual
> signing operations, but it's pretty awful; besides, I'm sure you
> could puzzle it out for yourself.  That's not the point.  As Dan
> pointed out, users should never have to be exposed to _either_
> of these command-line tools -- and OpenSSL is a *library*, and
> even better it's one that generates and checks signatures in a
> format that many other libraries can handle as well.  We can
> integrate OpenSSL support directly into the pkgtools and the
> system installer, and rely on no external utility at all.  I'd
> be glad to help you do that, if you like.

So, going with this, I'd like the ability to sign and verify files,
detaching signatures, and ASCII armoured ones.  A signature needs to
be located in a key server if necessary. As I said, I have had very
little luck in the past in finding enough openssl documentation to
enable me to do this, in a library, shell script, or just plain in
a block of C code. My thanks to Ben Collver for pasting the URLs.

However, if you could help me do this, that would be great. I'll
contact you offline to see what we can do.

Thanks,
Alistair