RFC: Finding the needed OpenPGP key (was: Proposal: cabal-install: verify OpenPGP signatures)

Nikita Karetnikov nikita at karetnikov.org
Sat Sep 27 00:30:06 UTC 2014

There is a problem with the current OpenPGP spec: only an 8-octet key id
is included in a signature, not the whole fingerprint [1,2].  I’d like
to get some feedback on how to address this issue.

This branch [3] contains the code that adds available OpenPGP keys and
corresponding usernames to the index tarball.  This information is used
during ‘cabal update’ [4] to establish a set of trusted keys, which is
then cached.

When a user runs ‘cabal install’, they only get a source tarball and
possibly a signature.  How would you find the right key in the cache?  I
see two options:

1. Match on 8-octet key ids.

2. Get an uploader name somehow and match on it instead.

The first option is more simple, which is a good thing.  But it would
require to forbid clashing key ids.  I think that’d be too restrictive
(fingerprints could be different) and would require querying the cache
for every key in the index tarball, which’d probably need a database.

The second one means sending an additional web request for each package
version during ‘install’, which would also add input validation burden
and potential security issues.

Since I dislike both options, I’ve talked to Mikhail on IRC who
suggested adding an ‘x-hackage-uploader’ field to .cabal files (similar
to the already used ‘x-hackage-revision’).  That’d be done in the index
tarball without changing the original files.  I like this idea because
it’s simple and would allow to avoid fingerprint collisions [5].

What would you do?

[1] https://tools.ietf.org/html/rfc4880#section-
[2] https://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
[3] https://gitorious.org/hackage-server/hackage-server/commits/openpgp
[4] https://gitorious.org/cabal/cabal/commits/openpgp
[5] https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140927/b9a939ab/attachment.sig>

More information about the cabal-devel mailing list