path: root/dev/archive/signing.mdwn
diff options
Diffstat (limited to 'dev/archive/signing.mdwn')
1 files changed, 64 insertions, 0 deletions
diff --git a/dev/archive/signing.mdwn b/dev/archive/signing.mdwn
new file mode 100644
index 0000000..c363b4c
--- /dev/null
+++ b/dev/archive/signing.mdwn
@@ -0,0 +1,64 @@
+[[!meta title="Package Archive Signing"]]
+Package archive signing will enable verification of package archive index files
+and establish a chain of trust to verify individual packages. It will allow
+ProteanOS's package management tools to more securely retrieve packages from the
+ProteanOS Archive Manager
+[[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive
+signing and one to specify a signing key. If archive signing is enabled,
+pro-archman will run `gpg` to sign, with the specified key, `Packages` feed
+index files when generated.
+A `gpg` executable will be an optional dependency, found by the `configure`
+script at build time.
+ProteanOS Development Kit
+[[prokit|dev/prokit]] will verify package feed index files with `gpg` if
+configured in the profile, and the `proteanos` profile will enable such
+A `gpg` executable will be an optional dependency, found by the `configure`
+script at build time.
+A keyring (or ASCII-armored keys that are added to a keyring at either build
+time or run time) associated with the profile should probably be included with
+prokit. Otherwise, a user would need to manually import the archive signing
+key(s) into their keyring.
+If keys are distributed with prokit, **revocations and key transitions need to
+be handled somehow**.
+The opkg package manager supports verifying package feeds. This feature
+requires linking against the [GnuPG Made Easy (GPGME) library][gpgme].
+ProteanOS packages for GPGME and its dependencies need to be prepared and
+uploaded. gpgme depends on libgpg-error (packaged and uploaded) and libassuan.
+Its testsuite depends on gnupg. gnupg in turn depends on libgpg-error,
+libgcrypt, libassuan, libksba, and npth. libgcrypt depends on libgpg-error.
+Below is a DOT-language digraph representation of these dependencies that can be
+rendered with Graphviz.
+Once gpgme and its dependencies are packaged in ProteanOS, opkg can be built
+with package feed verification. This feature should be optional. The `opkg`
+source package should have two builds, with and without verification enabled.
+This will probably mean generating new binary packages `opkg-gpg` and
+`libopkg.1-gpg` (which will conflict with `opkg` and `libopkg.1` respectively)
+and installing data files into binary package directories without the aid of