Short GPG HOWTO and Re: hackage, cabal-get, and security

Tue May 17 13:55:36 EDT 2005

Isaac Jones <ijones at syntaxpolice.org> writes:

> How does one generate a signed SSL certificate?  It's very costly, isn't it?

It's free to generate a self-signed certificate, but that doesn't help much.
As you suggest later in this email, there could be a CA on haskell.org.

>> The open question here is whether it is easier to convince people to
>> serve modules via HTTPS web servers or whether they prefer gnupg key
>> management. A reason to believe that the former will be preferable to
>> the later is that people can easily delegate SSL hosting to
>> others. Delegating gnupg key management is non-trivial.

Having used both, my opinion is that GPG is less difficult than SSL. 
Key management with GPG is globally delegated. It may not be trivial, 
but my first SSL certificate was definitely more trouble.
Here's a short gpg howto for Linux that assumes you have gpg installed:

gpg --gen-key
creates a new key.

gpg --list-keys <yourname>
shows you the created key.

Choose a keyserver, I use "keyserver keyserver.kjsl.com" in ~/.gnupg/options
or add  --keyserver some.host.name to the gpg command.

gpg --send-keys <yourname>
uploads your key to the keyserver.

gpg -b --sign filename
creates filename.sig, a detached signature for the file.

Now to test it on real files:

gpg --recv-keys 40620E18
grabs my key from the keyserver

wget http://www.scannedinavian.org/~shae/qc-tdd.{tgz,tgz.sig}
grabs a file and signature I created.

gpg --verify qc-tdd.tgz.sig
checks a detached signature against the key and qc-tdd.tgz file.

If you check the signature before you have the key, you'll see the key
'nickname' and you can use that as a parameter to --recv-keys
40620E18 is the short name for my key, as shown above.

You'll also get warnings if my key isn't already in your web of trust.

For related information see:
http://pgp.mit.edu/ 
http://people.debian.org/~weasel/weboftrust/ - Debian's web of trust
http://pki-page.org/#PGP - lots of PGP links

> I wanted hackage to have a pretty secure chain between the packager and the
> end-user, without the need for outside sysadmins, outside CAs, or outside
> methods for moving the package to the web server.

I'd prefer this also.

> The "web of identity / trust" would be much better if we had an official
> central authority like a CA, though, rather than an ad-hoc one.

I don't think a central authority is necessary as long as we have the web of
identity / trust. If requested anyway, what about haskell.org?
-- 
It seems I've been living two lives. One life is a self-employed web developer
In the other life, I'm shapr, functional programmer.  | www.ScannedInAvian.com
One of these lives has futures (and subcontinuations!)|  --Shae Matijs Erisson