Verify packages PGP signatures

[thblt]

It would be nice if Borg did verify PGP signatures before building/activating a drone. I've included such a feature in a little UI frontend for Borg I've been working on as an Elisp exercise, but I think it could take place in the core instead. I imagine it working this way:

1. borg-assimilate would verify if the package is signed after cloning. If it is not, but if the most recent tag on default branch is, it would offer to checkout this tag instead of HEAD.

   If the git object (tag or commit) is signed with a missing signature, Borg may offer to download the public key.

   If a valid signature is found, Borg could offer to add a submodules.DRONE.signingkey field with the identifier of the signing key.

   If no signature can be verified, it would ask the user whether they still want to activate the package, and offer the choice to remove it instead.

2. borg-clone would do the same, but won't offer to modify .gitmodules.

3. A new function borg-upgrade or borg-switch-version would be added, which would prompt the user for a commit or a tag, checkout it, and verify signature (using submodules.DRONE.signingkey) before building.

4. A new variable, borg-always-valid-keys would be introduced, which would store a list of GnuPG key identifiers to consider valid for all packages. This would typically store the ID of the user's own key.

5. Optional: A new variable borg-verify-signatures-on-initialization could be introduced, defaulted to nil. If non-nil, borg-initialize would only activate packages with a valid signature and a clean working-tree. (This is a kind of "paranoia" mode.)

If you're interested to have such a feature on Borg, I'd like to work on it.

Thanks for reading this!

[tarsius]

It's pretty exiting that borg now has an extension. Not too long ago it didn't even have more than a handful of users. 😉

[tarsius]

I am a little busy getting Magit, borg, epkg, closql, and emir releases ready, so I will comment later.

[tarsius]

Just a quick note for those following links 😉

As a security measure I have already added a command that only clones a package without also installing to allow reviewing a package before any of it is executed. Additionally I plan to show a warning when a user attempts to install an unsafe package and add an option to epkg to hide all Emacswiki packages.

[thblt]

Hi Jonas, just a friendly remember this issue is still waiting for your feedback :) There's no hurry since I'm still really busy (too, I guess), but knowing what you think would help me get started whenever I can. Thanks!