[dev] Signing Packages

Michael M Slusarz slusarz at horde.org
Fri Oct 18 18:42:10 UTC 2013 

Quoting Jan Schneider <jan at horde.org>:

> Zitat von Mathieu Parent <math.parent at gmail.com>:
>
>> Hi,
>>
>> 2013/10/17 Michael M Slusarz <slusarz at horde.org>:
>>> For security reasons, we should be signing our packages.  This is easily
>>> done via 'pear sign [packagefile]'.
>>>
>>> Granted, there isn't any easy utility to *verify* the signature  
>>> (at least in
>>> PEAR itself).  But wouldn't hurt to be doing this going forward.
>
> And there probably won't ever be such a feature in PEAR itself,  
> since development has essentially stalled. But I agree it won't hurt  
> either.

Well... I would think that this should not be something that would be  
too hard to add to PEAR, since it's essentially going to be "check if  
the package.sig file exists when installing, and verify if the config  
says to do so".

The hard part (as always) is dissemination of the public keys.  It  
would be great if this could be done via the PEAR channel itself, but  
now we are talking about rewriting large chunks of PEAR which is a  
no-go.

But security-conscious people really would not have too much of an  
issue of having to do something like "wget keys from pear.horde.org;  
gpg import keys" once, especially if it is well documented.  (This  
could even be done automatically via the install script).

>> This is very important for us packagers (me=Debian packager).
>>
>>> FYI: The signature is based on the package.xml file.  So verifying is done
>>> by:
>>> gpg --verify package.sig package.xml
>>
>> But what will be the trusted signing keys?
>
> Good question. This could be either personal developer keys that  
> include horde.org identities, or a single build key for the whole  
> project. I slightly prefer the former, because sharing a private key  
> among developers is always problematic if you don't have a central  
> build infrastructure.

I would prefer the former also.  Since that's the way our packaging  
system is set-up (packages are created on a dev's local system).   
Although that being said... adding keys to packages is something that  
can easily be added at a later time - it doesn't need to be done at  
build time.  So we could do the latter by inserting signing during the  
upload/pirum update process.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the dev mailing list