On 29/8/23 22:20, Max Gautier wrote:
On Tue, Aug 29, 2023 at 12:15:10AM +1000, Allan McRae wrote:
However, I am not convinced that repos using a mixture of GPG and openssh signatures should not be supported. See below.
I assume the last not was extraneous right ? Given the rest.
Signature type detection would be interesting, but I see it being brittle/complex if/when alternative signing methods get added.
As far as I can tell, the signature formats of minisign and signify are quite close (signify can verify minisign signatures, but not the other way around[1]) and include the following header:
untrusted comment: <arbitrary text>
Which could be used to distinguish types. Both SSH and GPG also have a header.
Of course that header is necessarily untrusted, so every signature verification method should independently verify the signature structure without ever relying on the detected type.
Having a single configurable signing method per repo removes the need to even deal with this.
[...]
Overall, I am happy for this idea to move forward. My suspicion is that some initial refactoring may be needed to ease the addition of new signature formats. Without looking in detail, I suspect doing that would be a good place to start.
Allan
Great !
I'm going to take a look at the codebase and see what I can come up with. Given the discussion, I'll first focus on implementing support for configuring the signature method globally/per repo + the openssh signature format (and refactoring, if indeed needed).
Signature type detection and "mixed signature method" repos if we eventually go that way can be added later on.
Thanks
[1]: https://github.com/jedisct1/minisign/issues/59#issuecomment-654809237
It has been a while, but I have opened an issue in our gitlab to track this: https://gitlab.archlinux.org/pacman/pacman/-/issues/67