tech-pkg: Re: signed binary pkgs [was: Re: BPG call for use cases]

Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <tv@duh.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-pkg
Date: 07/26/2005 03:48:41
On Mon, 25 Jul 2005, Todd Vierling wrote:

> If a package signature were placed as the first entry in the tarball, it
> should be possible using a tar library (do we do this yet?) to verify while
> extracting, and simply stop dead and nuke any extracted files if an
> unverifiable entry is encountered in the stream.

There are two issues I see with this, though I don't know if they're
important enough that we want to give up "single-pass" functionality.

     1. If we extract, then nuke when we discover an error, we wipe out
     any files that existed before we started the extraction.

     2. Creating a signed archive can't be done with an append operation
     on an existing archive. Though now that I think about it, since you
     could just write a new signed archive (except, ironically enough,
     not if the input is streamed to you), this is probably no big deal
     at all.

Come to think of it, if we're going to nuke anyway, we have to remember
what to nuke, so doing the checks at the end (assuming we know in
advance what hash scheme(s) we're going to encounter at the end) is also
potentially possible.

I wonder what the consequences are of allowing the signature file to be
either at the head or the tail? Increased complexity, for a start, which
is certainly one blow against it.

What I suppose I'm liking best at this point, in terms of simplicity, is:

     1. In a "generic signed archive," the first file in the archive is a
     list of hashes for all of the following files, in order. More than
     one hash may be provided for each file. This file will be signed,
     with a copy of the signing key included in it. (This latter point
     is so that the file can act as, essentially, a strong hash of the
     archive even if the certificate can't be trusted--this protects
     against accidental corruptions.)

     2. It is an error for files to be in the archive but not in the
     signed list of hashes.

     3. The first file will have a defined name, as well as an easily
     recognisable format. If the first file in an archive has that name
     but is not in a recognisable format, or does not have a valid
     signature, the archive will be declared to be corrupt.

It seems to me that this could work for tar, cpio, pax, ZIP, whatever.
Is there anything it's missing that pkgsrc would need? (I don't see the
need for hashes for files created by scripts in the archive, since those
scripts will be verified with hashes.)

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA