From 1afbb048f9df49a9dfeb62bb0d3ef09bf12389a4 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Sun, 06 Aug 2017 21:51:22 -0400 Subject: dev/archive/signing: New page --- diff --git a/dev/archive/signing.mdwn b/dev/archive/signing.mdwn new file mode 100644 index 0000000..c363b4c --- /dev/null +++ b/dev/archive/signing.mdwn @@ -0,0 +1,64 @@ +[[!meta title="Package Archive Signing"]] + +Background +========== + +Package archive signing will enable verification of package archive index files +and establish a chain of trust to verify individual packages. It will allow +ProteanOS's package management tools to more securely retrieve packages from the +archive. + +Implementation +============== + +ProteanOS Archive Manager +------------------------- + +[[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive +signing and one to specify a signing key. If archive signing is enabled, +pro-archman will run `gpg` to sign, with the specified key, `Packages` feed +index files when generated. + +A `gpg` executable will be an optional dependency, found by the `configure` +script at build time. + +ProteanOS Development Kit +------------------------- + +[[prokit|dev/prokit]] will verify package feed index files with `gpg` if +configured in the profile, and the `proteanos` profile will enable such +verification. + +A `gpg` executable will be an optional dependency, found by the `configure` +script at build time. + +A keyring (or ASCII-armored keys that are added to a keyring at either build +time or run time) associated with the profile should probably be included with +prokit. Otherwise, a user would need to manually import the archive signing +key(s) into their keyring. + +If keys are distributed with prokit, **revocations and key transitions need to +be handled somehow**. + +Opkg +---- + +The opkg package manager supports verifying package feeds. This feature +requires linking against the [GnuPG Made Easy (GPGME) library][gpgme]. + +ProteanOS packages for GPGME and its dependencies need to be prepared and +uploaded. gpgme depends on libgpg-error (packaged and uploaded) and libassuan. +Its testsuite depends on gnupg. gnupg in turn depends on libgpg-error, +libgcrypt, libassuan, libksba, and npth. libgcrypt depends on libgpg-error. +Below is a DOT-language digraph representation of these dependencies that can be +rendered with Graphviz. + +Once gpgme and its dependencies are packaged in ProteanOS, opkg can be built +with package feed verification. This feature should be optional. The `opkg` +source package should have two builds, with and without verification enabled. +This will probably mean generating new binary packages `opkg-gpg` and +`libopkg.1-gpg` (which will conflict with `opkg` and `libopkg.1` respectively) +and installing data files into binary package directories without the aid of +`oh-installfiles`. + +[gpgme]: https://www.gnupg.org/software/gpgme/index.html -- cgit v0.9.1