Re: Alternative signature systems

On Thu, May 16, 2019, at 4:39 AM, Richard Hughes via ostree-list wrote:
On Thu, 16 May 2019 at 09:16, Denis Pynkin via ostree-list
<ostree-list gnome org> wrote:
Probably there are any thoughts or suggestions about the
design/extension/changing the current GPG-only model?

If it helps, fwupd and the LVFS has been using a GPG or PKCS/7 model
for a while. Using gnutls is a much more refreshing (and predictable!)
experience compared to the muddle of gpg2 and gnupg.

Sorry I had missed this comment earlier - the fwupd code seems good, license and language compatible; we 
could copy fu-keyring-pkcs7.c into libostree without too much trouble it looks like.  It has some use of an 
internal common lib but probably not hard at all to extract it to something we copy copy/paste (and define 
fwupd as the upstream).

There's also a lot of documentation and knowledge around PKCS/7.  Would that be acceptible for (potential) 
OSTree users who are looking for a non-LGPLv3 signing solution?

Denis, I know I'd mentioned ed25519 early on in this because it's simple and modern, but what do you think 
about adopting the fwupd code?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]