digital signature
Hi Jason,
I'm working on adding support for digital
signature verification in apt, to allow authentication
of the source of downloaded packages. Since
we (Conectiva) intend to work extensively
with mirror sites, that's an important feature.
The modifications I'm making is to add a companion
file to sources.list, named vendors.list.
That file will contain a list of vendors the user
trusts and public key IDs for them. Each of
the repositories listed in sources.list, may
have an extra field (enclosed with [] after the
distribution type), that tells which real source
that site corresponds to. So, if I have a mirror
of Conectiva at blabla.com, the sources.list entry
for it would look like:
rpm [cncbr] ftp://blabla.com/etc other usual info comes here
where [cncbr] is a string that identifies a package vendor.
That identifier would be optional and in such case,
digital signature authentication would not be done.
The vendors.list file, will contain:
cncbr "Conectiva S.A. <security@conectiva.com.br>" gpg:1024D/99807190
which are the vendor identifier, the information about the
vendor and a list of public key types (gpg or pgp) and
IDs for it.
Having that information, the code in acquire-item.cc would
request the just downloaded file to have it's signature
checked and see if it really comes from cncbr, issuing a
warning and aborting the process if it fails.
The actual checking of the package signatures is done
by rpmlib, in my case. Debian packages would probably
be checked by Debian specific classes.
Does that sound ok for you? I still haven't checked in these
changed into my cvs, but should be doing that soon,
maybe tomorrow.
--
Alfredo
Reply to: