Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

[Florian Weimer]

Tom Lord wrote:

>    The advantage of doing this as the first step is that it won't
>    be necessary to implement signature support twice (once for 
>    local file system archives, again for everything else).

I don't think signature verification should be done at the file system
interface.

> 2) Add a ßigned-archive" property to archives

This has to be set during archive registration.  You also have to
specify the fingerprint of the accepted keys.

> 3) Modify arch_pfs_connect to collect a passphrase

This is not necessary, gpg-agent will take care of this (unless you want
something working tomorrow).

> 4) Modify arch_pfs_put_file to optionally sign files
> 
>    If arch_pfs_put_file is asked to store a file in an archive 
>    with "signed-archive" set, it should work by storing the file
>    locally (in a tmp dir), invoking gpg --detatch-sign to sign
>    the file (using --passphrase-fd to pass the passphrase) and then
>    store both files.

I'm not sure if this is really, really sufficient.

> 5) Write a shell script to check the signatures in an archive.

Clearly not sufficient. 8-)

Features which are required as well (IMHO):

  * SHA-1 hashes in changesets (both before and after patching)

  * "exact" application of changesets (hashes must match), especially
    if a pristine tree is constructed

  * archive name and changeset revision have to be covered by the
    signature

  * signed changeset support for mkpatch/dopatch

  * maybe something more elaborate for registering trusted developers