[[!meta title="Package Archive Signing"]] Background ========== Package archive signing will enable verification of package archive index files and establish a chain of trust to verify individual packages. It will allow ProteanOS's package management tools to more securely retrieve packages from the archive. Implementation ============== ProteanOS Archive Manager ------------------------- [[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive signing and one to specify a signing key. If archive signing is enabled, pro-archman will run `gpg` to sign, with the specified key, `Packages` feed index files when generated. A `gpg` executable will be an optional dependency, found by the `configure` script at build time. ProteanOS Development Kit ------------------------- [[prokit|dev/prokit]] will verify package feed index files with `gpg` if configured in the profile, and the `proteanos` profile will enable such verification. A `gpg` executable will be an optional dependency, found by the `configure` script at build time. A keyring (or ASCII-armored keys that are added to a keyring at either build time or run time) associated with the profile should probably be included with prokit. Otherwise, a user would need to manually import the archive signing key(s) into their keyring. If keys are distributed with prokit, **revocations and key transitions need to be handled somehow**. Opkg ---- The opkg package manager supports verifying package feeds. This feature requires linking against the [GnuPG Made Easy (GPGME) library][gpgme]. ProteanOS packages for GPGME and its dependencies need to be prepared and uploaded. gpgme depends on libgpg-error (packaged and uploaded) and libassuan. Its testsuite depends on gnupg. gnupg in turn depends on libgpg-error, libgcrypt, libassuan, libksba, and npth. libgcrypt depends on libgpg-error. Below is a DOT-language digraph representation of these dependencies that can be rendered with Graphviz. Once gpgme and its dependencies are packaged in ProteanOS, opkg can be built with package feed verification. This feature should be optional. The `opkg` source package should have two builds, with and without verification enabled. This will probably mean generating new binary packages `opkg-gpg` and `libopkg.1-gpg` (which will conflict with `opkg` and `libopkg.1` respectively) and installing data files into binary package directories without the aid of `oh-installfiles`. [gpgme]: https://www.gnupg.org/software/gpgme/index.html