-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
opam: support signing repository #423
Comments
The initial design goal of checksums and such was to have a reliable (but not necessary perfect) way of detecting upstream change, in order to rebuild packages which have changed. However, I agree that having signed packages would be nice, but this will not be done before the 1.0 (at least not by me ... but if you want to contribute patches, you are always most than welcome :-) ). I'm moving the issue to "ongoing" to keep track of the idea. |
Also, maybe this can be done by an external program (ie. opam-safe-repo) ? |
On 2013-02-03 19:42, Thomas Gazagnaire wrote:
There could be 2 opam packages for the client:
When opam is first installed and 'opam init' is run it should automatically install these 2 packages, Then key rollover is simple: just publish a new opam-keyring package, signed with both keys, and some time later For the server/repository side I was thinking that ocaml-mk-repo could invoke gpg directly, --Edwin |
this would obviously depend on some OpenPGP implementation or binding in OCaml - is there one which I haven't found yet? |
Perhaps signify would be something simpler to implement. |
+1 to signify. On 22 Jul 2014, at 11:17, Török Edwin notifications@github.com wrote:
|
A friend recently referred me to this project which seems popular for Python, Ruby Gems and Docker:
I found this to be a good read about OpenBSDs new tool, called signify: Link to mailing-list discussion about the subject:
Erlang discussions about code signing: Here is a long discussion with lots of relevant links from Cabal, the Haskell package manager (who have now implemented their own pkg signing and verification): Brief recap of interesting links from that thread:
By the way: This older discussion is related: #1370
|
Thanks a lot for the detailed overview. This is something that needs our attention. |
please have a look at our proposal: http://opam.ocaml.org/blog/Signing-the-opam-repository/ |
First some points:
I read this as if the proposal gives
Apart from those concerns - good job, looking forward to it! :-) |
to briefly answer (prefer discussion on the mailing list mentioned in the blog article):
|
On 1., also, a quorum (probably 2) of RM signatures will be required. |
Currently the opam repository is updated over http, and there are no signatures on the packages/repository. An improvement would be to update over https, but that wouldn't protect against a compromise of the repository server/user account, or a mitm attack on the ssl cert.
There are already checksums for archives (in packages//url), and checksums for all the files in the repository (in urls.txt), so you are halfway there.
It'd be nice if there was also a .sig file that signs the urls.txt, and if you used a stronger hash (in addition to) MD5 (at least SHA1, but SHA2 is supported pretty much everywhere nowadays).
opam would carry the public key, and opam-mk-repo would have to be pointed to the private key to perform the signing.
For private repositories (the ones with opam remote add) you could have the option to disable signing, or to add another public key to opam.
As for implementing this in opam you could either invoke gpgv, or do it yourself using cryptokit (but that'd add a dependency on cryptokit for opam).
Once this is implemented that leaves unauthenticated only git URLs in packages. Maybe a flag --secure to opam could forbid installing of packages from git URLs, or packages that don't have checksums.
I think this simple signing of urls.txt would suffice, as it is assumed that whoever signs urls.txt with the private key has also checked that all the packages and their source codes come from trusted sources, and that the checksums are correct.
A more complicated signing scheme where each package is signed by its respective maintainer is not needed, as git already provides a way to authenticate pull requests, see:
https://www.kernel.org/pub/software/scm/git/docs/howto/using-signed-tag-in-pull-request.html
The text was updated successfully, but these errors were encountered: