On Wed, Dec 17, 2008 at 10:46:10AM -0600, Matthew Weigel wrote: > Like Marc said, signing packages when the process doesn't protect the > integrity of the signatures, the source used to compile the binaries > that are signed, and the binaries themselves, you are providing a > misleading sense of security instead of an actual benefit.
We have hopes to protect the part of the process that we can trust eventually, e.g., the parts internal to OpenBSD. This requires a master key, dependent keys for packages signers, and that's about it. Plus some process to revoke stuff. Everything is there already in the packages, except the signature proper: all files are checksummed (with sha256), all meta-information is written in the packing-list, so we just need to sign the packing-list itself. I have talked about this a few times already: we can do just-in-time signature checking. If you look closely at the pkg_* code, you'll see tendrils of the work in progress. What do you think PackingElement::DigitalSignature is for ?
