Re: digital signature

To: Alfredo Kengi Kojima <kojima@conectiva.com.br>
Cc: deity@lists.debian.org, distro@conectiva.com.br
Subject: Re: digital signature
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Thu, 21 Sep 2000 18:39:48 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.3.96.1000921181934.280C-100000@wakko>
In-reply-to: <[🔎] Pine.LNX.4.21.0009212026460.27809-100000@zaphod.distro.conectiva>

On Thu, 21 Sep 2000, Alfredo Kengi Kojima wrote:

> I'm working on adding support for digital signature verification in apt,
> to allow authentication of the source of downloaded packages. Since we
> (Conectiva) intend to work extensively with mirror sites, that's an
> important feature. 

Hm, you'd be alot better off to just sign your index file and check that
on Update. Since that file already has hashes of the other files you get
your checking for free.

Debian will be implementing this at some point I suspect.

> The modifications I'm making is to add a companion file to sources.list,
> named vendors.list.  That file will contain a list of vendors the user
> trusts and public key IDs for them. Each of the repositories listed in

This sounds reasonable even if you do the above.

> The vendors.list file, will contain:
> cncbr "Conectiva S.A. <security@conectiva.com.br>"      gpg:1024D/99807190 

This isn't so good. For OpenPGP and PGP2.x keys you need to store the
fingerprint and length. You've got the key id, the misnomer 'gpg'
algorithm and length.

I'd just go with something like:

jgg 64BE1319CCF6D393BF87FF9358A6D4EE 1024 "Jason Gunthorpe <jgg@debian.org>

This is alot better. You'll need some way to manage key rings as well.

There is also another issue to do with age - signing package files tends
to kill that issue. Someone could construct a 'worst of' distribution that
contains all sorts of packages you have released, but later created
security fixes for. This is a serious problem with only checking
signatures of .rpms.

The ultimate scheme that I have idly been thinking about is that each
'base' url (http://ftp.debian.org/debian.org) would have a signed index
file that contains a list of all Release, Source, Source.gz, Packages,
Packages.gz and their sizes. The acquire bit would grab that file first
and then check the others as it downloads.

Since this fuses the Packages+Source+Release into a single signature it is
almost impossible to create a 'worst of' without it being plainly evident
to the user. Update will have to show the release information too, but
thats not a big deal.

There is also the nice advantage that you can create accurate progress
meters for the index files too :> It also has minimal overhead which is
nice too.

Jason

Reply to:

References:
- digital signature
  - From: Alfredo Kengi Kojima <kojima@conectiva.com.br>

Prev by Date: digital signature
Next by Date: Bug#72225: apt: example script for cron.daily
Previous by thread: digital signature
Next by thread: Bug#72225: apt: example script for cron.daily
Index(es):
- Date
- Thread