https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
--- Comment #3 from David Cook <[email protected]> --- Preface: Apologies for the long post. It was my mental working through of possibilities for libraries for this functionality. Maybe it will be useful to someone else's thought process. Feel free to ignore and I'll write a shorter one after it with a suggestion. -- Oh right... gpg will handle that transparently if we just provide something like "gpg --verify plugin.sig plugin.kpz" or "gpg --decrypt plugin.kpz.sig --output plugin.kpz". Of course, the fun comes when shelling out to gpg from a web process... Some interesting conversation between Gregor Herrmann and Daniel Kahn Gillmor about this topic at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875124. They seem to suggest GnuPG::Interface but it still just shells out rather than using bindings. (A few years ago, I was interested in working on some Perl bindings for GPG, but just never found the time - quelle surprise.) On that note... we don't *have* to use GPG for signing. Although I don't really have any other obvious viable candidates. There's EdDSA (https://en.wikipedia.org/wiki/EdDSA#Software), but nothing there is standing out to me. Libgcrypt has signature support but I recall Crypt::GCrypt being terribly broken and it doesn't have signature support anyway. Although we could look at "python3-gpg" in Debian/Ubuntu which are official Python bindings for GPG using GPGME. But we couldn't use that in Starman and that would be a pain to setup. Maybe Crypt::OpenSSL::RSA which looks recent and seems to use bindings rather than shelling out. I see libcrypt-openssl-rsa-perl in Ubuntu 18.04. (Apparently Crypt::OpenSSL::RSA appears in some OCLC docs for working with Perl and Relais: https://help.oclc.org/Resource_Sharing/Relais_D2D/Authentication/Encryption) (Also kind of interesting looking at what Crypt::JWT uses for managing JWS algorithms: https://metacpan.org/pod/Crypt::JWT. As you can see, Crypt::OpenSSL::RSA shows up there again.) Oh that's interesting... for EdDSA it uses Crypt::PK::Ed25519, but Ubuntu 18.04 doesn't have Crypt::JWT or Crypt::PK::Ed25519. Oh actually... libcryptx-perl is available in Ubuntu 18.04 and Debian Stretch Backports...https://metacpan.org/pod/CryptX and https://packages.debian.org/search?keywords=libcryptx-perl No idea who Karel Miko is but that is amazing. Based on his LinkedIn, it looks like he's been doing security for quite a long time (and has maintained CryptX since 2013). https://metacpan.org/pod/Crypt::PK::RSA looks pretty interesting. And looking here https://metacpan.org/source/MIK/CryptX-0.068/CryptX.xs you can see it using the libtomcrypt headers (https://www.libtom.net/). Looks like libtomcrypt has 35 listed contributors (https://github.com/libtom/libtomcrypt/graphs/contributors) including Karel Miko... with most of the work starting in 2017...although apparently it was originally created by Tom St Denis (a Canadian from Ottawa) in 2001. So I'm guessing maybe not everything is shown in the Github. Seems like a pretty active project with a handful of developers working on it. Ooof... looks like there were some big dramas back in 2009 and Tom St Denis left the project and no one immediately took it up (https://groups.google.com/forum/#!msg/sci.crypt/Z7lVGM2wo2o/UfQpm0cdQRMJ). Obviously someone did resurrect it though. The Github history goes back to 2008/2009. Anyway that's just history. Seems like it's seen a fair bit of work since then, plus it's in every Linux distribution it seems. I feel like I've heard of libtomcrypt before in a project I was using... ahhh yes because dropbearssh uses libtomcrypt (which I compiled to run on my Android phone so I could use rsync on my phone using SSH). Anyway... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
