On Wed, Mar 7, 2012 at 22:03, Richard Hipp <d...@sqlite.org> wrote:
> On Wed, Mar 7, 2012 at 7:10 PM, Leo Razoumov <slonik...@gmail.com> wrote:
>> On Wed, Mar 7, 2012 at 18:03, Brian Smith <br...@linuxfood.net> wrote:
>> > On Wed, Mar 7, 2012 at 2:40 PM, Leo Razoumov <slonik...@gmail.com>
>> > wrote:
>> >>
>> >> Looking through the fossil source code I found places where manifests
>> >> are clearsign-ed. But where are signatures verified?
>> >
>> > They're not. It's designed for when you're auditing check-ins (after,
>> > say, a
>> > security breach..)
>>
>> That's precisely my question. How do I audit?
>
> I never got around to implementing that part. An audit has never come up.
> Do you have a suggested interface?
> Where do we collect the public keys for the authorized signers?
>
You do not need to collect public keys of authorized signers inside a
fossil repo. They are stored by gpg in the GPG ring of trust. I do not
think that fossil should interfere with the GPG key distribution
process. Let each project team handle their key distribution
themselves via key-signing parties, trusted key servers, etc.
Command interface for signature verification in fossil could be as follows:
$ fossil verify ?-R repository?
sends to the stdout output a list of entries, one line per each
clearsign-ed artifact in the following format
SHA1_hash status
where "status" field is one of the three possibilities:
(1) signed by <key>. Check Pass
(2) signed by <key>. Check Fail
(3) signed by <key>. Check Miss
In case (3) signature verification process was unable to complete
because, for instance, public key was missing, etc.
A user can then grep for "check fail" and "check miss" to dwell
further on suspected artifacts using their SHA1 hashes.
The command exits with a status code of 0 if no "check fail" or "check
miss" signatures were found, 1 if only "check miss" but no "check
fail", and 2 if "check fail" has been seen.
--Leo--
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
