Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <>
From: Alistair Crooks <>
List: tech-userlevel
Date: 05/13/2004 18:36:11
On Thu, May 13, 2004 at 11:25:08AM -0400, Thor Lancelot Simon wrote:
> On Thu, May 13, 2004 at 02:41:45PM +0100, Alistair Crooks wrote:
> > 
> > However, we need the functionality that gpg provides.  I keep being
> I don't agree.  We need _a very small part_ of the functionality that
> gpg provides, that of RSA signing and signature checking.  The rest
> of it, we don't need; it's either candy, or it's intended for a purpose
> that's not ours.
> For example, in the extensive list of gpg command-line invocations
> for which you asked for equivalents, quite a few of them are
> associated with web-of-trust management.  But (for this purpose)
> we don't have a web of trust; we have a trust hierarchy.  This
> means that a huge amount of the functionality in GPG is superfluous,
> whatever one thinks of how it's implemented.

Right, there are two separate uses for the gpg functionality,

(1) signing and verification of digital signatures, and
(2) web-of-trust style of key "knowledge"

I would prefer it if we could have both, but I will settle for (1)
now, and (2) to be implemented and deployed in the future.

One of the drivers for this is that I would like 2.0 to ship with some
digital signatures attached.  Another is that we have had digital
signature enablement in pkg_add(1) for two and a half years, via a
callout to pgp or gpg, and it would be nice to bring that into a
library that pkg_install and other tools can use.  I am also scheduled
to speak at UseBSD (the BSD special interest day of Usenix) on the
NetBSD update system, which uses digital signatures to verify the
provenance of binary packages.
> I could give you the openssl command-line syntax for the actual
> signing operations, but it's pretty awful; besides, I'm sure you
> could puzzle it out for yourself.  That's not the point.  As Dan
> pointed out, users should never have to be exposed to _either_
> of these command-line tools -- and OpenSSL is a *library*, and
> even better it's one that generates and checks signatures in a
> format that many other libraries can handle as well.  We can
> integrate OpenSSL support directly into the pkgtools and the
> system installer, and rely on no external utility at all.  I'd
> be glad to help you do that, if you like.

So, going with this, I'd like the ability to sign and verify files,
detaching signatures, and ASCII armoured ones.  A signature needs to
be located in a key server if necessary. As I said, I have had very
little luck in the past in finding enough openssl documentation to
enable me to do this, in a library, shell script, or just plain in
a block of C code. My thanks to Ben Collver for pasting the URLs.

However, if you could help me do this, that would be great. I'll
contact you offline to see what we can do.