Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <email@example.com>
From: Alistair Crooks <firstname.lastname@example.org>
Date: 05/13/2004 18:36:11
On Thu, May 13, 2004 at 11:25:08AM -0400, Thor Lancelot Simon wrote:
> On Thu, May 13, 2004 at 02:41:45PM +0100, Alistair Crooks wrote:
> > However, we need the functionality that gpg provides. I keep being
> I don't agree. We need _a very small part_ of the functionality that
> gpg provides, that of RSA signing and signature checking. The rest
> of it, we don't need; it's either candy, or it's intended for a purpose
> that's not ours.
> For example, in the extensive list of gpg command-line invocations
> for which you asked for equivalents, quite a few of them are
> associated with web-of-trust management. But (for this purpose)
> we don't have a web of trust; we have a trust hierarchy. This
> means that a huge amount of the functionality in GPG is superfluous,
> whatever one thinks of how it's implemented.
Right, there are two separate uses for the gpg functionality,
(1) signing and verification of digital signatures, and
(2) web-of-trust style of key "knowledge"
I would prefer it if we could have both, but I will settle for (1)
now, and (2) to be implemented and deployed in the future.
One of the drivers for this is that I would like 2.0 to ship with some
digital signatures attached. Another is that we have had digital
signature enablement in pkg_add(1) for two and a half years, via a
callout to pgp or gpg, and it would be nice to bring that into a
library that pkg_install and other tools can use. I am also scheduled
to speak at UseBSD (the BSD special interest day of Usenix) on the
NetBSD update system, which uses digital signatures to verify the
provenance of binary packages.
> I could give you the openssl command-line syntax for the actual
> signing operations, but it's pretty awful; besides, I'm sure you
> could puzzle it out for yourself. That's not the point. As Dan
> pointed out, users should never have to be exposed to _either_
> of these command-line tools -- and OpenSSL is a *library*, and
> even better it's one that generates and checks signatures in a
> format that many other libraries can handle as well. We can
> integrate OpenSSL support directly into the pkgtools and the
> system installer, and rely on no external utility at all. I'd
> be glad to help you do that, if you like.
So, going with this, I'd like the ability to sign and verify files,
detaching signatures, and ASCII armoured ones. A signature needs to
be located in a key server if necessary. As I said, I have had very
little luck in the past in finding enough openssl documentation to
enable me to do this, in a library, shell script, or just plain in
a block of C code. My thanks to Ben Collver for pasting the URLs.
However, if you could help me do this, that would be great. I'll
contact you offline to see what we can do.