[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Stateless OpenPGP command-line interface for package management


Daniel Kahn Gillmor (CCed) has been working on a proposal for a
stateless OpenPGP command-line interface (that would ideally eventually
be supported by all OpenPGP implementations), both RFC draft and
reference implementation, and we had a chat some time ago on what might
be the requirements from a package manager PoV, where I mentioned I'd
bring it up on the dpkg and apt lists. I've also CCed Peter Pentchev
for debsigs. The draft can be found here:


and the implementation (AFAIK) here:


I think that what we mostly need is:

  * verification support for:
    - multiple keyrings, mentioned explicitly as AFAIR there was talk
      about dropping this from GnuPG (?) (already supported).
    - inline signatures for .dsc, .changes, InRelease, etc
      (planned with something lile detach-inband-signature-and-message?).
    - unbundling inline signatures from their data, which could make it
      possible to remove the OpenPGP signature ASCII armored parsing
      code from dpkg-dev and apt, but this would come at the cost of
      having to depend on such implementation, which would increase
      the build-essential set. :/
    - being able to warn about or reject specific weak constructs,
      needed by apt, in the future by dpkg (not supported AFAICS).

  * querying support for:
    - getting the key ID matching a pattern in a keyring, needed by
      debsig-verify to match on its policy (not supported AFAICS).
    - getting the key ID used in a signature, needed by
      debsig-verify to match on its policy (not supported AFAICS),
    - getting the signature date (?), used by debsigs
      (not supported AFAICS, seems just informational use).

  * conversion support for:
    - binary to ASCII armored signatures, f.ex. for upstream tarball
      signatures (already supported).

  * signing support for:
    - specifying a key ID (not supported AFAICS?).

These are off the top of my head, I might be missing more from apt's
side though. But I think we'd all be very happy if we could stop
having to parse --with-colons stuff, and having to deal with mixed
metadata and data streamed out from GnuPG. :)


Reply to: