RFC: Finding the needed OpenPGP key (was: Proposal: cabal-install: verify OpenPGP signatures)
Nikita Karetnikov
nikita at karetnikov.org
Sat Sep 27 00:30:06 UTC 2014
There is a problem with the current OpenPGP spec: only an 8-octet key id
is included in a signature, not the whole fingerprint [1,2]. I’d like
to get some feedback on how to address this issue.
This branch [3] contains the code that adds available OpenPGP keys and
corresponding usernames to the index tarball. This information is used
during ‘cabal update’ [4] to establish a set of trusted keys, which is
then cached.
When a user runs ‘cabal install’, they only get a source tarball and
possibly a signature. How would you find the right key in the cache? I
see two options:
1. Match on 8-octet key ids.
2. Get an uploader name somehow and match on it instead.
The first option is more simple, which is a good thing. But it would
require to forbid clashing key ids. I think that’d be too restrictive
(fingerprints could be different) and would require querying the cache
for every key in the index tarball, which’d probably need a database.
The second one means sending an additional web request for each package
version during ‘install’, which would also add input validation burden
and potential security issues.
Since I dislike both options, I’ve talked to Mikhail on IRC who
suggested adding an ‘x-hackage-uploader’ field to .cabal files (similar
to the already used ‘x-hackage-revision’). That’d be done in the index
tarball without changing the original files. I like this idea because
it’s simple and would allow to avoid fingerprint collisions [5].
What would you do?
[1] https://tools.ietf.org/html/rfc4880#section-5.2.3.5
[2] https://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
[3] https://gitorious.org/hackage-server/hackage-server/commits/openpgp
[4] https://gitorious.org/cabal/cabal/commits/openpgp
[5] https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20140927/b9a939ab/attachment.sig>
More information about the cabal-devel
mailing list