Brock Pytlik wrote:
Mostly nits as well.
I don't quite understand why the hash value for a manifest would change,
can you help me understand what's different about the manifest text
that's signed now?
This is not for manifests; this is only for catalogs.
But as to why it changed, that's simple enough.
Previously, it was inserting a dummy data structure into the catalog
structure and then serializing it. The catalog hash included this dummy
structure and the actual catalog data. After it had written the file,
it did a seek back to the dummy data structure and replaced the dummy
signature values with the real signature values (hash in this case).
However, that turned out to be slower than I thought it would be, in
part because json.dump() calls the write() method 1 million plus times.
As such, it was significantly faster to use misc.get_data_digest() to
get the sha-1 of the catalog file after it was written and then
serialize the signature structure (which also contains the hash) and
append that to the file instead.
catalog.py:
134+: Is there a plan to do actual cryptographic signing in the future
here? Or will it always be the identity signature (ie, hash value)? If
Yes, a hash is just a degenerate signature case. But the plan is for it
to handle both. It is the same thing we do for manifests today.
Cheers,
--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
