Re: Alternative signature systems

["Colin Walters" <walters verbum org>]

On Sat, Aug 10, 2019, at 2:44 PM, Colin Walters wrote:
> On Thu, May 16, 2019, at 4:39 AM, Richard Hughes via ostree-list wrote:
> > On Thu, 16 May 2019 at 09:16, Denis Pynkin via ostree-list
> > <ostree-list gnome org> wrote:
> > > Probably there are any thoughts or suggestions about the
> > > design/extension/changing the current GPG-only model?
> >
> > If it helps, fwupd and the LVFS has been using a GPG or PKCS/7 model
> > for a while. Using gnutls is a much more refreshing (and predictable!)
> > experience compared to the muddle of gpg2 and gnupg.
>
> Sorry I had missed this comment earlier - the fwupd code seems good, 
> license and language compatible; we could copy fu-keyring-pkcs7.c into 
> libostree without too much trouble it looks like.  It has some use of 
> an internal common lib but probably not hard at all to extract it to 
> something we copy copy/paste (and define fwupd as the upstream).
>
> There's also a lot of documentation and knowledge around PKCS/7.  Would 
> that be acceptible for (potential) OSTree users who are looking for a 
> non-LGPLv3 signing solution?

Argh sorry, I'm traveling at the moment and just did a drive-by comment,
but of course now that I fully context-switch back here, the discussion started
there with Jussi's post: 

https://mail.gnome.org/archives/ostree-list/2017-June/msg00002.html

It looks like the fwupd pkcs7 code actually dates to shortly after that
discussion started.

Anyways sorry for "back seat driving" this issue a bit too much!
I'm also fine continuing down the ed25519 path - although on the
other hand a lot of people using libostree for devices I suspect will also want
to use fwupd, and supporting a common signing scheme across
them could be advantageous.

I guess my other concern there was linking to gnutls *and* openssl, but eh, adding a gnutls checksum backend 
too would likely be easy.