summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McDermott <pehjota>2017-08-06 21:51:22 (EDT)
committer Patrick McDermott <pehjota>2017-08-06 21:51:22 (EDT)
commit1afbb048f9df49a9dfeb62bb0d3ef09bf12389a4 (patch)
tree3ef1508b52fa095060daed5d260eb39997aa8d00
parent5f5496d3be4bbe2c5956092ad2c9cbf475a70b0e (diff)
dev/archive/signing: New page
-rw-r--r--dev/archive/signing.mdwn64
1 files changed, 64 insertions, 0 deletions
diff --git a/dev/archive/signing.mdwn b/dev/archive/signing.mdwn
new file mode 100644
index 0000000..c363b4c
--- /dev/null
+++ b/dev/archive/signing.mdwn
@@ -0,0 +1,64 @@
+[[!meta title="Package Archive Signing"]]
+
+Background
+==========
+
+Package archive signing will enable verification of package archive index files
+and establish a chain of trust to verify individual packages. It will allow
+ProteanOS's package management tools to more securely retrieve packages from the
+archive.
+
+Implementation
+==============
+
+ProteanOS Archive Manager
+-------------------------
+
+[[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive
+signing and one to specify a signing key. If archive signing is enabled,
+pro-archman will run `gpg` to sign, with the specified key, `Packages` feed
+index files when generated.
+
+A `gpg` executable will be an optional dependency, found by the `configure`
+script at build time.
+
+ProteanOS Development Kit
+-------------------------
+
+[[prokit|dev/prokit]] will verify package feed index files with `gpg` if
+configured in the profile, and the `proteanos` profile will enable such
+verification.
+
+A `gpg` executable will be an optional dependency, found by the `configure`
+script at build time.
+
+A keyring (or ASCII-armored keys that are added to a keyring at either build
+time or run time) associated with the profile should probably be included with
+prokit. Otherwise, a user would need to manually import the archive signing
+key(s) into their keyring.
+
+If keys are distributed with prokit, **revocations and key transitions need to
+be handled somehow**.
+
+Opkg
+----
+
+The opkg package manager supports verifying package feeds. This feature
+requires linking against the [GnuPG Made Easy (GPGME) library][gpgme].
+
+ProteanOS packages for GPGME and its dependencies need to be prepared and
+uploaded. gpgme depends on libgpg-error (packaged and uploaded) and libassuan.
+Its testsuite depends on gnupg. gnupg in turn depends on libgpg-error,
+libgcrypt, libassuan, libksba, and npth. libgcrypt depends on libgpg-error.
+Below is a DOT-language digraph representation of these dependencies that can be
+rendered with Graphviz.
+
+Once gpgme and its dependencies are packaged in ProteanOS, opkg can be built
+with package feed verification. This feature should be optional. The `opkg`
+source package should have two builds, with and without verification enabled.
+This will probably mean generating new binary packages `opkg-gpg` and
+`libopkg.1-gpg` (which will conflict with `opkg` and `libopkg.1` respectively)
+and installing data files into binary package directories without the aid of
+`oh-installfiles`.
+
+[gpgme]: https://www.gnupg.org/software/gpgme/index.html