On 22/8/23 23:22, Max Gautier wrote:
On Sun, Aug 20, 2023 at 03:31:41PM +1000, Allan McRae wrote:
The answer is a solid maybe... Even leaning towards yes here! Questions to answer first:
1) would we allow mixed signature verification. e.g. some repos use GPG and others use openssh? Or some repos using both?
I think pacman should have the capability to check repos using both ; I don't see how else we could support a distribution migrating from one signature scheme to another (re-signing all packages at once seems unpractical). I think the decision of which scheme to allow should be left to configuration, either as a global setting in pacman.conf or as a per repo one.
I have been thinking on this... I think pacman needs to be able to be configured to support zero/either/both signature methods (just considering GPG and openssh at this time). We currently allow enabling/disabling GPG support. A global/repo level pacman.conf setting fits our current set-up with signature level verification. However, I am not convinced that repos using a mixture of GPG and openssh signatures should not be supported. See below.
2) What do we need to add to package entries in repos so that pacman knows the signature file to download.
I would not differentiate signature files depending on the scheme used, and just reuse the same structure (a .sig file). I see two possible ways if we do that: - detect the scheme used then verify signature (probably better error messages) - try to verify the signature with all allowed scheme (simpler)
We really need better error messages anyway! The simple version is probably a no-go. GPG checks are fairly costly, and given current signature usage, it would make sense to check these first. This problem becomes worse if additional signing methods become supported. Signature type detection would be interesting, but I see it being brittle/complex if/when alternative signing methods get added. Having a single configurable signing method per repo removes the need to even deal with this.
Our current assumptions are very GPG based...
Do you mean just the filename of the signature or also other things ?
I was thinking filename, but I see openssh uses .sig too. So that logic does not need updated.
3) What will be our criteria for including additional signature verification methods? openssh seems a good option for me, but we have had people request one of the other new signing variants.
I would say the criteria should be that a new method bring something more or better compared to those already existing in pacman. That's a bit vague though ; it would probably be on a case-by-case basis.
You're talking of minisign and signify, I suppose ?
Exactly. Overall, I am happy for this idea to move forward. My suspicion is that some initial refactoring may be needed to ease the addition of new signature formats. Without looking in detail, I suspect doing that would be a good place to start. Allan