gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

From: Andrew Suffield
Subject: Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch
Date: Mon, 8 Dec 2003 14:32:36 +0000
User-agent: Mutt/1.5.4i 
On Sun, Dec 07, 2003 at 12:44:37PM -0800, Tom Lord wrote:
>     >> 3) Modify arch_pfs_connect to collect a passphrase
> 
>     >>    It's a bit icky to keep the passphrase in tla's memory but I think
>     >>    it's more reasonable in this case than the alternatives.
> 
>     >>    In libarch/pfs.c(arch_pfs_connect), after connecting, look for
>     >>    the "signed-archive" file.   If present, prompt the user for
>     >>    a passphrase and record it.
> 
>     > Please no! That's exactly how it shouldn't be done, since you will need 
> to
>     > increase size of your TCB code, which is not good from security
>     > review point of view.
> 
> Well, what would you suggest?   The "requirements" are:
> 
>   a) be able to run GPG multiple times (an unbounded number of
>      times for push-mirror)
> 
>   b) try to avoid having to prompt the user for a passphrase 
>      for each run.
> 
>   c) avoid having to have the user configure additional software,
>      such as a passphrase server

Let's try attacking this from the other direction. Hypothetical:

When tla wants to push a group of files into an archive, it batches
them up into one list, and generates an md5sum file like this:

bd0a202e5727de0e930c532d89b9e7ac  
tla-debian/tla-debian--debian/tla-debian--debian--1.0/patch-1/log
6eb58ed9604819b21a06c5a8678ac5a4  
tla-debian/tla-debian--debian/tla-debian--debian--1.0/patch-1/tla-debian--debian--1.0--patch-1.patches.tar.gz
6da841844a35054b1c1105de79a83772  
tla-debian/tla-debian--debian/tla-debian--debian--1.0/base-0/log
6b65d4c6bd998e5a9b11d5c1750f9331  
tla-debian/tla-debian--debian/tla-debian--debian--1.0/base-0/tla-debian--debian--1.0--base-0.src.tar.gz

It then clearsigns this file, and installs a copy into every revision
directory referenced. The archive copy will be named
sprintf("md5sums.%d", $i++), so multiple files can exist in each
revision; to verify, load them in sequence (later files override
identical filenames in earlier ones) and filter out anything not
relevant to the current directory, then check the md5sums.

I'm sure there are some holes in this, it needs more work. I just made
it up while I was typing it.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]