Shawn Walker wrote:
Greetings,
As part of the catalog v1 work I'm doing, I'm also in the process of
changing the server to include package identity information in the
package manifest, such as the FMRI (bug 8217) with the belief that
fully-qualifying the FMRI with the publisher prefix (bug 2762) was
desirable.
However, a recent conversation with Stephen led me to believe that in
light of manifest signing, this may be problematic. In particular, my
understanding was that "Company A" may sign a manifest and be the
initial "publisher" of a package. Later on, they may give that package
to Sun to redistribute, and so "sun.com" would be the publisher and the
last signer of the package instead since they are the "immediate
provider" of the package.
Yes and then the local admin could republish into their local repoistory
again with their local company signature.
Or the second signature might remove the first. For example ON handing
off its IPS packages to RE.
Both cases are valid and accounted for in the signed manifest proposal.
So, I have a few questions:
* Am I right in assuming that we should be storing the fully-qualified
FMRI (that is, an FMRI that includes publisher information) in the
Manifest?
I've read 8217 and 2762 and they seem to indicate that - but I don't
know enough about the problem they are trying to fix to determine if you
need the full FMRI or not.
* Since Manifests are unsorted, how would we determine who the "last
signer" was?
The signature entry could have a timestamp field. Ideally this would
really be a "Trusted Time Stamp"[1], but a simple "signedon" field using
the localtime would be good enough (and that is what we do in libelfsign).
* To workaround the multiple signers issues, should signature actions
omit the "set pkg.fmri" from their evaluation of the manifest contents?
What about if the fmri was part of the signature action itself eg:
signature type=x.509 hashtype=sha-256 sigtype=rsa-pkcs public_key=<hash>
[public_key=<hash>] ... value=<hash> ...
pkg.fmri=pkg://pkg.opensolaris.org/....
Not sure if that will help you solve 8217 and 2762 though. It might
also be a problem with some other cases too, say if we want the same
signed package at more than one FMRI but with the same signature - would
that make sense to have ?
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
