Re: officially signed packages

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Mon, Apr 07, 2014 at 04:48:16PM +0200, Fredrik Pettai wrote:
> On Apr 7, 2014, at 14:38 , Joerg Sonnenberger 
> <joerg%britannica.bec.de@localhost> wrote:
> > On Mon, Apr 07, 2014 at 01:36:10PM +0200, Jan Danielsson wrote:
> >>   I used to (very) strongly prefer PGP over X.509, nowadays I see them
> >> as being equally useful, but in different situations.  In the case of
> >> signing packages, X.509 PKI is well-suited because TNF is a perfect type
> >> of entity to be a CA.  That being said, the X.509 tools out there are
> >> user-hostile, counter-intuitive, ugly, annoying, and down-right bad[*].
> >> So while conceptually I'm all for TNF becoming a CA, the lack of
> >> non-user-hostile tools makes me feel that the PGP route is better in the
> >> end.  ..as long as we have netpgp(verify).
> > 
> > While I mostly agree about the hostility of tools like openssl(1), I
> > don't think it applies overly much in this context. The use model I had
> > in mind when creating the x509 support was:
> > 
> > (1) The person responsible for the a bulk build creates a CA
> > certificate.
> > 
> > (2) An intermediate key with a short valid time (3 month?) is used to
> > sign the packages.
> 
> Why that short time? 

Just an attempt to establish a base line between "too much work for
admin" and "impact of possible breach". Rotating certs with 6 month
validity every 3 month might work better, I just wanted to toss in a
number.

> btw. what happens if I try to install a package with a non-valid signature?
> Will I be refused? Will I be prompted that the signature has expire or
> is invalid, but I could override & continue anyway?

Depends on CHECK_VULNERABILITIES, see pkg_install.conf(5).

Joerg