Proposal: cabal-install: verify OpenPGP signatures
Nikita Karetnikov
nikita at karetnikov.org
Sat Jun 21 15:56:05 UTC 2014
> If a package is signed, the maintainers have the permission to sign. If
> it’s necessary to add a maintainer, the uploader lists a username in a
> file, signs it, and uploads. (Is there a better way to achieve the same
> thing?) The server checks the signature, parses the file, and adds the
> usernames to the maintainers group.
> Since it’s important to sign the file locally, there should be a
> convenience tool allowing to select the usernames.
This is too complicated and has some drawbacks. I’m currently working
on the following:
1. It should be possible to upload a signature while uploading a
package. The server must check that the signature corresponds to the
uploader’s key.
2. If it’s necessary to add a new maintainer, the initial uploader must
sign the public key of the said maintainer. (This will be checked by
cabal-install.)
For ‘cabal-install’:
1. A warning must be raised if a package that was signed previously is
not signed.
2. If a package is signed but was not signed previously, ‘cabal-install’
must check its signature and add the public key to the cache.
3. If a package was signed but now is signed with a different key,
‘cabal-install’ must check whether this key is signed with the
previously-known key corresponding to this package, then verify the
signature. If not, a warning must be raised.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140621/62945e10/attachment.sig>
More information about the cabal-devel
mailing list