Re: Alternative signature systems

On Sat, Aug 10, 2019, at 2:44 PM, Colin Walters wrote:

On Thu, May 16, 2019, at 4:39 AM, Richard Hughes via ostree-list wrote:
On Thu, 16 May 2019 at 09:16, Denis Pynkin via ostree-list
<ostree-list gnome org> wrote:
Probably there are any thoughts or suggestions about the
design/extension/changing the current GPG-only model?

If it helps, fwupd and the LVFS has been using a GPG or PKCS/7 model
for a while. Using gnutls is a much more refreshing (and predictable!)
experience compared to the muddle of gpg2 and gnupg.

Sorry I had missed this comment earlier - the fwupd code seems good, 
license and language compatible; we could copy fu-keyring-pkcs7.c into 
libostree without too much trouble it looks like.  It has some use of 
an internal common lib but probably not hard at all to extract it to 
something we copy copy/paste (and define fwupd as the upstream).

There's also a lot of documentation and knowledge around PKCS/7.  Would 
that be acceptible for (potential) OSTree users who are looking for a 
non-LGPLv3 signing solution?

Argh sorry, I'm traveling at the moment and just did a drive-by comment,
but of course now that I fully context-switch back here, the discussion started
there with Jussi's post:

It looks like the fwupd pkcs7 code actually dates to shortly after that
discussion started.

Anyways sorry for "back seat driving" this issue a bit too much!
I'm also fine continuing down the ed25519 path - although on the
other hand a lot of people using libostree for devices I suspect will also want
to use fwupd, and supporting a common signing scheme across
them could be advantageous.

I guess my other concern there was linking to gnutls *and* openssl, but eh, adding a gnutls checksum backend 
too would likely be easy.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]