On 22/8/23 23:22, Max Gautier wrote:
On Sun, Aug 20, 2023 at 03:31:41PM +1000, Allan McRae wrote:
The answer is a solid maybe... Even leaning towards yes here! Questions to
answer first:
1) would we allow mixed signature verification. e.g. some repos use GPG and
others use openssh? Or some repos using both?
I think pacman should have the capability to check repos using both ; I
don't see how else we could support a distribution migrating from one
signature scheme to another (re-signing all packages at once seems
unpractical).
I think the decision of which scheme to allow should be left to
configuration, either as a global setting in pacman.conf or as a per
repo one.
I have been thinking on this...
I think pacman needs to be able to be configured to support
zero/either/both signature methods (just considering GPG and openssh at
this time). We currently allow enabling/disabling GPG support.
A global/repo level pacman.conf setting fits our current set-up with
signature level verification.
However, I am not convinced that repos using a mixture of GPG and
openssh signatures should not be supported. See below.
2) What do we need to add to package entries in repos so that pacman knows
the signature file to download.
I would not differentiate signature files depending on the scheme used,
and just reuse the same structure (a .sig file).
I see two possible ways if we do that:
- detect the scheme used then verify signature (probably better error
messages)
- try to verify the signature with all allowed scheme (simpler)
We really need better error messages anyway!
The simple version is probably a no-go. GPG checks are fairly costly,
and given current signature usage, it would make sense to check these
first. This problem becomes worse if additional signing methods become
supported.
Signature type detection would be interesting, but I see it being
brittle/complex if/when alternative signing methods get added.
Having a single configurable signing method per repo removes the need to
even deal with this.
Our current assumptions are very GPG based...
Do you mean just the filename of the signature or also other things ?
I was thinking filename, but I see openssh uses .sig too. So that logic
does not need updated.
3) What will be our criteria for including additional signature verification
methods? openssh seems a good option for me, but we have had people request
one of the other new signing variants.
I would say the criteria should be that a new method bring something
more or better compared to those already existing in pacman. That's a
bit vague though ; it would probably be on a case-by-case basis.
You're talking of minisign and signify, I suppose ?
Exactly.
Overall, I am happy for this idea to move forward. My suspicion is that
some initial refactoring may be needed to ease the addition of new
signature formats. Without looking in detail, I suspect doing that
would be a good place to start.
Allan
