Hi.

I have created a feature request about signing with minisign
https://github.com/haproxy/haproxy/issues/198

Event this topic was discussed on the list ~07.2018 I think we can start a new
discussion with the tool minisign which is easier to handle then gpg.

https://www.mail-archive.com/haproxy@formilux.org/msg30836.html

The arguments in the past are still valid but the difference is that the tool
makes the setup and the signing much easier, AFAIK.

The Issues about the private key for signing can be handled in that way that the
key is only valid for signing the package and the usage is straightforward.

What I have in mind.

1. Step create key
minisign -G -s ~/.haproxy-signing/haproxy-source.key -p
~/.haproxy-signing/haproxy-source.pub

2. Step sign package
echo ${SIG_PASS}|minisign -Sm haproxy-$NEW.tar.gz -s
~/.haproxy-signing/haproxy-source.key -x haproxy-$NEW.tar.gz.minisig

3. Step verify tar.gz
minisign -Vm haproxy-$NEW.tar.gz -P
RWRdvBnvjOVnRqqLYt9FJ3fpUqTVzMaUPcSJ6E2WYotHGMbpqh0dzMwG

Opinions?

Best regards
Aleks

Reply via email to