[dev] PEAR GPG signing (patches)

Michael M Slusarz slusarz at horde.org
Tue Nov 5 06:32:59 UTC 2013 

Quoting Michael M Slusarz <slusarz at horde.org>:

> Following our discussion from a few weeks ago, I got off my butt and  
> decided to force the issue with the PEAR/PHP folks by actually  
> writing the code needed to do GPG signing/verifying in PEAR.

FYI: the workflow for signing/verifying would look like this with the  
current implementation:

Horde developers:

* (Still need to decide whether we would sign packages locally or with  
a master key on pear.horde.org. For ease of discussion, assume that we  
will sign locally -- i.e. when calling horde-components on dev machine)
* Need to import PRIVATE gnupg key into PEAR.  Assume the *@horde.org  
email exists in personal keyring:
   "gpg --armor --export-secret-keys foo at horde.org > /tmp/private.key"
   "pear sign-import /tmp/private.key"
* Mark the key to use for signing
   "pear config-set sig_keyid foo at horde.org"
* Sign a package
   "pear sign Horde_Foo-1.0.0.tgz"

Horde_Foo-1.0.0.tgz is signed in-place.


Users:

* Need to import public keys of signing authority.  (ONLY DONE ONCE;  
or when signing keys change -- that fact alone might lead to the idea  
of only having a single master key)
   "pear sign-import http://pear.horde.org/public.key"

That's it.  PEAR *should* automatically configure location of gpg  
binary, if it exists, on local system so that shouldn't normally be an  
issue.

Then, when installing, key would be verified.

Examples:

1.) GOOD signature

"pear install Horde_Foo-1.0.0.tgz"
gpg: WARNING: unsafe permissions on homedir `/usr/local/php/etc/pearkeys'
gpg: Signature made Mon 04 Nov 2013 10:45:01 PM MST using RSA key ID XXXXXXXX
gpg: Good signature from "Michael M Slusarz <slusarz at horde.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
[install continues]

2.) BAD signature

"pear install Horde_Foo-1.0.0.tgz"
gpg: WARNING: unsafe permissions on homedir `/usr/local/php/etc/pearkeys'
gpg: Signature made Mon 04 Nov 2013 10:45:01 PM MST using RSA key ID XXXXXXXX
gpg: BAD signature from "Michael M Slusarz <slusarz at horde.org>"
package signature is BAD!

install failed

3.) User fails to import key

"pear install Horde_Foo-1.0.0.tgz"
gpg: WARNING: unsafe permissions on homedir `/usr/local/php/etc/pearkeys'
gpg: Signature made Mon 04 Nov 2013 10:45:01 PM MST using RSA key ID XXXXXXXX
gpg: Can't check signature: No public key
[install continues]


michael


___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the dev mailing list