republishing changes the hash, and so the signature is wrong #3

Open
dominictarr opened this Issue Jul 28, 2013 · 5 comments

Comments

Projects
None yet
3 participants
Collaborator

dominictarr commented Jul 28, 2013

If you sign the hash the tarball, you cannot put that signature inside the tarball because
that will change the hash... And so, you have only signed the previous version.

Looking into this, normally, when you have signed bundles/files the signature is almost always a separate file.

You could make it the same file, potentially, but you'd need to have a completely clear way to delimit the signed part, from the unsigned part (where the signature itself sits)

I think it's probably best to just make it a separate object that you can store in the database (npm or npmd)

Owner

0x00A commented Jul 28, 2013

You are correct, and it is currently a separate file, when the request is created, a .pkpignore file is created which excludes files, specifically the pkp.json file from the hash. This way it can be included in the package, but not the hash.

Collaborator

dominictarr commented Jul 28, 2013

hmm, you'd need to store the list of files that you are hashing inside the pkp.json file, too. so that it can be reproduced.
Also, if any code files are absent from the hash, then that is a security hole.

Collaborator

juliangruber commented Jul 28, 2013

oh, so there shouldn't be a file in .pkpignore that isn't in .npmignore -> just use .npmignore

Collaborator

dominictarr commented Jul 28, 2013

you'd need to check in .npmignore.

Owner

0x00A commented Jul 28, 2013

Thanks for the comments guys! :) When pkp tries to hash the package, it expects that nothing has changed in the version since the request for signing was made for it. To do this, I'm using fstream-ignore, with this i can specify a list of files that are not part of the functioning code ['.gitignore', '.pkiignore', '.npmignore'] (but these files themselves are "checkedin". All other files within the package are used to calculate the hash, if one is missing or changed the hash can not be reproduced, and the package can not be signed or validated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment