[dev] PEAR GPG signing (patches)
Michael M Slusarz
slusarz at horde.org
Tue Nov 5 17:47:18 UTC 2013
Quoting Mathieu Parent <math.parent at gmail.com>:
> 2013/11/5 Michael M Slusarz <slusarz at horde.org>:
>> Following our discussion from a few weeks ago, I got off my butt and decided
>> to force the issue with the PEAR/PHP folks by actually writing the code
>> needed to do GPG signing/verifying in PEAR.
>
> This is a great way forward.
>
> Some notes:
>
> Can we really rely on md5sums to check files? (response is probably no
> [1]). A solution would be to add sha1sum to package.xml.
Yes - I thought the same thing when working with PEAR and my next
patch was to add sha1 support. But all existing package.xml files
contain md5sums, so this is something that is as critical.
> Maybe the sign check should be moved to the same place as the checksum
> check [2]. Currently the code only check signature on tgz or directory
> (but not whe package.xml is directly given).
>
> [1]: http://en.wikipedia.org/wiki/MD5#Security, even if pre-image
> attack is theorical
> [2]:
> https://github.com/pear/pear-core/blob/a71c2ae53dffdfa6bea5a6b023e4511ef50dea47/PEAR/Installer.php#L407
This is intentional. How do you determine the signature when you
explicitly reference a package.xml file? You can't assume in this
case that a file named "package.sig" in the same directory is
associated with package.xml. To certify that this is indeed the case,
you must specify the directory instead.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list