I've been poking at the package signing capabilities, and want to solicit
some suggestions for design. So far, I've added the ability to sign a
package with an X.509 certificate, expanding the existing mechanism for
storing signatures in the package.
I'd like suggestions about keys. At this time, both pkg_sign and pkg_check
will by default use RSA keys in the default location suggested in the ssl
manpage, namely /etc/ssl/private/server.key for signing and
/etc/ssl/server.crt for verification. You are also allowed to specify
alternate key or certificate filenames using the -u option.
1) Should I not be (ab)using the -u option in this manner?
2) Should -u be used to specify the issuer that must appear in the
certificate, or other useful "this has to come from XXX" options?
3) Should I expand the verification to use a "keyring" or to search
multiple certs in a directory? This would be relatively straight-
forward to do, and would make the mechanism more generally useful
for installing packages from multiple sources.
4) Should I move the package signature checking code into the install
library and modify pkg_add such that it will not install a signed
package unless the signatures match? And perhaps allow the user
to override this with a -f option?
What I have now is sufficient for my application, but I'd like to expand
this to be useful to the BSD community at large, and submit it for
inclusing in OpenBSD.
Thanks in advance for your suggestions.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters DoBox Inc.
wes@dobox.com http://www.dobox.com/
|