Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

GPG Signed Packages
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
rphillips
Retired Dev
Retired Dev


Joined: 18 Apr 2002
Posts: 92
PostPosted: Mon May 27, 2002 8:04 am    Post subject: GPG Signed Packages Reply with quote
Is there a want for GPG signed packages that will check signatures upon an emerge?

-ryan
Back to top
View user's profile Send private message
Scandium
Retired Dev
Retired Dev


Joined: 22 Apr 2002
Posts: 340
Location: Germany
PostPosted: Mon May 27, 2002 8:55 am    Post subject: Reply with quote
*raises his hands*
I think gpg should be in the base package and every package should be signed with (the maintainers ?) gpg-key.
It's not a must IMHO but it would be a great addition
Back to top
View user's profile Send private message
rphillips
Retired Dev
Retired Dev


Joined: 18 Apr 2002
Posts: 92
PostPosted: Mon May 27, 2002 9:03 am    Post subject: Reply with quote
Here is how I envision this:

Code:

        1. Daniel creates a master gentoo key, call it key 1.
        2. Daniel signs all the package maintainer's gnupg keys with key 1.
           This allows us to use our own keys for signing purposes.
        3. A public keyring of all of our public keys, and key 1 is located within
           /usr/portage/profiles/gentoo-keys.gpg
        4. Upon verification of the package:
                A. The signature of the package is validated.
                B. The signer of the package is checked against the gentoo keyring.
                   a. If the signer has the 'key 1' signature on his own key, then the
                   package is verified and installed.
                   b. If the signer does not have the key 1 signature then, the package
                   can still be installed if a proper config variable is set.  ie:
                   USE_UNTRUSTED_SIGS=y

I haven't wrote this functionality into portage yet, and wanted everyone's
opinion on use and functionality. I also propose another variable for
/etc/make.conf called AUTH_METHOD. By default this method can be MD5, but can
be changed by the user to GPG if they like.

Another question is if the signatures should be stored in ascii armor,
or in binary in the portage CVS. There are tradeoffs to both.
Back to top
View user's profile Send private message
Scandium
Retired Dev
Retired Dev


Joined: 22 Apr 2002
Posts: 340
Location: Germany
PostPosted: Mon May 27, 2002 9:22 am    Post subject: Reply with quote
I am not that experienced with crypto I just use gpg, I am just happy with it and feel good when using it ;-)
Back to top
View user's profile Send private message
klieber
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
PostPosted: Mon May 27, 2002 11:35 am    Post subject: Reply with quote
moving this thread to Gentoo suggestions.

BTW, digitally signed packages has already been filed as a feature request on bugs.gentoo.org

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy