augmenting commit metadata without invalidating signatures
- From: Robert McQueen <rob endlessm com>
- To: Flatpak List <flatpak lists freedesktop org>
- Cc: "ostree-list gnome org" <ostree-list gnome org>
- Subject: augmenting commit metadata without invalidating signatures
- Date: Tue, 12 Mar 2019 17:00:40 +0000
Hi folks,
I wanted to see if anyone had some bright ideas about this, and whether
there's a way to fix this without breaking the collection/ref binding
security model.
In Flathub, we have deployed Alex's "flat-manager" which is a Flathub
repository manager service with a HTTP API that allows you to create
API tokens for others (build workers, but also partners who do their
own builds) to push new refs to scratch repositories, then publish them
and move the commits to the main repos. It also handles signing of
commits, delta generation policy, etc.
Now that commit metadata includes both the collection and the ref
binding, we can't publish someone else's signed commit in Flathub
because we need to build a new commit that adds one or more (we might
share objects between different subsets of repos) collection IDs and
re-signing the whole thing with our key.
In the case of software received in binary form from third parties, it
would be better if Flathub could add its "collection" signature without
needing to invalidate the original upstream signature. A good example
might be Mozilla, who could sign their legit/released Firefox Flatpak
and indicate it was the genuine article, but we wouldn't want Flathub
to erase that signature just to publish it. Vice versa, someone could
choose to add a Mozilla remote that pointed to Flathub but would only
trust the Mozilla key, and not Flathub (which even though it is stored
on a HSM is still after all part of a highly-automated signing workflow
used for many hundreds of signatures a day).
So - it would be much better if we were able to add such a "pushed"
commit into the Flathub repos, and add our collection ID bindings,
without having to modify the commit and invalidate the upstream
signature. Is there a way we could, for example, add a collection and
ref binding in the detatched metadata where we add a signature, so that
the original commit and its signature can be left intact?
Thanks,
Rob
[Date Prev][Date Next] [Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
