https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
--- Comment #9 from David Cook <[email protected]> --- OK I've used openssl to generate a RSA private key and a public key, and create a signature for the KitchenSink KPZ (or more accurately a signature of a SHA256 digest of the KitchenSink KPZ). I've used Crypt::OpenSSL::RSA to load the public key and verify the signature against the KitchenSink KPZ file, and it's working very nicely on koha-testing-docker. Hurray! Next, I plan to great a plugin_keys table (or something like that) where admins can upload RSA public keys against a little descriptive name. Then, I'll add an upload option for the signature file. (I'll add a system preference to make the signature mandatory and default that preference to off for backwards compatibility.) Then, I iterate through the public keys to see if any of them return true. (The error reporting in Crypt::OpenSSL::RSA isn't brilliant. False is returned if the key is bad, false is returned if the file is bad, and false if the signature is bad. There's no way to differentiate between the failure states. That all being said, I suppose it doesn't matter too much. We can just tell users to review their saved keys, and double-check their source and that they're using the right signature for the right file.) I really thought I'd be able to work through my hunger but... going to have to eat. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
