Stateless OpenPGP command-line interface for package management

To: debian-dpkg@lists.debian.org, deity@lists.debian.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Peter Pentchev <roam@debian.org>
Subject: Stateless OpenPGP command-line interface for package management
From: Guillem Jover <guillem@debian.org>
Date: Thu, 6 Feb 2020 13:45:46 +0100
Message-id: <[🔎] 20200206124546.GA16615@gaara.hadrons.org>
Mail-followup-to: debian-dpkg@lists.debian.org, deity@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Peter Pentchev <roam@debian.org>

Hi!

Daniel Kahn Gillmor (CCed) has been working on a proposal for a
stateless OpenPGP command-line interface (that would ideally eventually
be supported by all OpenPGP implementations), both RFC draft and
reference implementation, and we had a chat some time ago on what might
be the requirements from a package manager PoV, where I mentioned I'd
bring it up on the dpkg and apt lists. I've also CCed Peter Pentchev
for debsigs. The draft can be found here:

  https://dkg.fifthhorseman.net/draft-openpgp-stateless-cli.html
  https://gitlab.com/dkg/openpgp-stateless-cli

and the implementation (AFAIK) here:

  https://gitlab.com/dkg/python-sop


I think that what we mostly need is:

  * verification support for:
    - multiple keyrings, mentioned explicitly as AFAIR there was talk
      about dropping this from GnuPG (?) (already supported).
    - inline signatures for .dsc, .changes, InRelease, etc
      (planned with something lile detach-inband-signature-and-message?).
    - unbundling inline signatures from their data, which could make it
      possible to remove the OpenPGP signature ASCII armored parsing
      code from dpkg-dev and apt, but this would come at the cost of
      having to depend on such implementation, which would increase
      the build-essential set. :/
    - being able to warn about or reject specific weak constructs,
      needed by apt, in the future by dpkg (not supported AFAICS).

  * querying support for:
    - getting the key ID matching a pattern in a keyring, needed by
      debsig-verify to match on its policy (not supported AFAICS).
    - getting the key ID used in a signature, needed by
      debsig-verify to match on its policy (not supported AFAICS),
    - getting the signature date (?), used by debsigs
      (not supported AFAICS, seems just informational use).

  * conversion support for:
    - binary to ASCII armored signatures, f.ex. for upstream tarball
      signatures (already supported).

  * signing support for:
    - specifying a key ID (not supported AFAICS?).


These are off the top of my head, I might be missing more from apt's
side though. But I think we'd all be very happy if we could stop
having to parse --with-colons stuff, and having to deal with mixed
metadata and data streamed out from GnuPG. :)

Thanks,
Guillem

Reply to:

Follow-Ups:
- Re: Stateless OpenPGP command-line interface for package management
  - From: Johannes Schauer <josch@debian.org>
- Re: Stateless OpenPGP command-line interface for package management
  - From: David Kalnischkies <david@kalnischkies.de>

Next by Date: Re: Stateless OpenPGP command-line interface for package management
Next by thread: Re: Stateless OpenPGP command-line interface for package management
Index(es):
- Date
- Thread