[pacman-dev] SigLevel options redux
Dan McGee
dpmcgee at gmail.com
Thu Jul 28 17:53:17 EDT 2011
So this is a bit messy. My last patch gets us close to what we need,
but turns out, I didn't fully understand what the ramifications of my
options were in the last patch here:
http://mailman.archlinux.org/pipermail/pacman-dev/2011-July/013856.html
* The Package/Database/(implicit all) stuff is fine.
* The optional/required stuff is fine (for the most part).
* Not so great is the marginal and unknown OK stuff.
Basically, there are three facets to every signature that we can examine.
* Validity: Is this signature signing the data it says it is? This is
basically three-valued- good, bad, or unknown. In GPGME, the unknown
case comes up if we don't have a copy of the public key in our
keyring, for instance.
* Trust: Do we trust this key? Note that this is very different than
the above "is this signature valid" question. This brings in the whole
web of trust business, the blackhole discussions regarding CACert,
signing each other's keys, etc.
* "Timeliness" (not sure what to call it): aka is this signature
expired, key expired, or key revoked.
So the important fact that my prior implementation did not handle
above was the missing public key. I'm thinking we should not allow for
this case, and attempt to tell the user to import the key (or prompt
them to do so, or something). Regarding "Optional" signature level, if
we find a sig, we should not proceed if we cannot verify.
As far as options go, here is what is likely worth providing:
* Validity- nothing. The signature has to be good if it exists,
nothing else is valid.
* Trust- nix what we had before. I think just one coarse-grained
option would be good here, and that is 'AlwaysTrustworthy' (naming
suggestions welcome if that isn't clear, came from gpgv man page).
This would replace the AllowMarginal/AllowUnknown options and
basically cover the bases of both. With this option, we will trust
every key *except* those marked "never trust"; without it the web of
trust will kick in and the key will need to have a certain level of
trust that way. This basically replicates what the stripped-down gpgv
does.
* Timeliness- I'm not totally sure what to do here. Maybe we shouldn't
even worry about this yet, and go with reasonably sane defaults:
- expired signature: don't allow. Since sigs have infinite lifetime
by default, there is probably a good reason to not allow one that has
gone sour.
- expired key: allow it (as long as the above expired sig case
doesn't apply too). Many keys are created with expiration dates, but
this doesn't make valid signatures created with them immediately
invalid.
- revoked key: obviously don't allow it.
Thoughts? I'm just going to go ahead with this scheme unless I hear
vastly different ideas on this.
-Dan
More information about the pacman-dev
mailing list