RFC: Finding the needed OpenPGP key (was: Proposal: cabal-install: verify OpenPGP signatures)
nikita at karetnikov.org
Sat Sep 27 00:30:06 UTC 2014
There is a problem with the current OpenPGP spec: only an 8-octet key id
is included in a signature, not the whole fingerprint [1,2]. I’d like
to get some feedback on how to address this issue.
This branch  contains the code that adds available OpenPGP keys and
corresponding usernames to the index tarball. This information is used
during ‘cabal update’  to establish a set of trusted keys, which is
When a user runs ‘cabal install’, they only get a source tarball and
possibly a signature. How would you find the right key in the cache? I
see two options:
1. Match on 8-octet key ids.
2. Get an uploader name somehow and match on it instead.
The first option is more simple, which is a good thing. But it would
require to forbid clashing key ids. I think that’d be too restrictive
(fingerprints could be different) and would require querying the cache
for every key in the index tarball, which’d probably need a database.
The second one means sending an additional web request for each package
version during ‘install’, which would also add input validation burden
and potential security issues.
Since I dislike both options, I’ve talked to Mikhail on IRC who
suggested adding an ‘x-hackage-uploader’ field to .cabal files (similar
to the already used ‘x-hackage-revision’). That’d be done in the index
tarball without changing the original files. I like this idea because
it’s simple and would allow to avoid fingerprint collisions .
What would you do?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 835 bytes
Desc: not available
More information about the cabal-devel