On Jan 18, 2016, at 5:04 AM, Tomasz Gajc wrote:
> Hi Jeff, thanks for the detailed info. I have couple of questions, hopefully
> looking for your answer.
>
> 2016-01-16 22:59 GMT+01:00 Jeff Johnson <[email protected]>:
>
>
> What remains to be done (in some order) is this:
>
> 1) confirm the non-repudiable signature exists by building a package
> and verifying
> the signature (using "rpm -qvvp *.rpm" should be sufficient), and that
> the pubkey is
> contained within every package.
>
>
> Which pubkey? OMA or rpmbuild's one ?
>
In this context, I was referring to the non-repudiable pubkey id displayed by
rpm -qvvp some-freshly-locally-built.rpm
You will be able to tell from the debugging output which keyid was used, and
whether the signature verified.
>
> 2) remove the check for "official" pubkey in urpmi.
>
> I do not understand one thing. How user can verify if rpm file which is
> signed with "one time generated" gpg key is trusted with that virtual-notary
> certificate ?
>
You can go through the download of the manifest and certificate, verify the
certificate, find
the keyid that matches, and then verify the package if the full security
protocol is what you wish.
Meanwhile the security of a mirror from which you downloaded is different than
the security
of the package itself. The pubkey in the *.rpm verifies the package is
untampered, the rest of
the protocol verifies that the mirror contains packages built in cooker.
(aside)
There are other protocols that could be designed&used, including registering
each set of packages
built with virtual-notary. The manifest generated when pushing to mirrors is
easiest procedurally.
>
> 3) create the manifest format to taste including additional
> identification like the non-repudiable pubkey id
>
> I do not understand what non-repudiable means :(
>
Apologies for the techno jargon (but I am reluctant to invent newer! better!
bestest! terms)
A repudiation is a statement denying some claim like this:
Q: Did you modify anything in the package?
A: No.
So a non-repudiable signature is a public/global assertion that nothing
whatsoever is changed.
>
> 4) register the manifest with http://virtual-notary.org and get the
> certificate. confirm that the certificate
> is consistent with the document.
>
> What do you mean by manifest ? You mean to notarize a document ?
> http://virtual-notary.org/dispatch/document/input/
>
The manifest lists what was published to mirrors. It will be an rpm query of
some sort, including
whatever information is deemed relevant.
You can think of the manifest document being similar to
rpm -qi *.rpm > manifest
(I believe that includes the keyid used for signing).
>
>
> 5) decide how to add the above steps to the mirroring process, and how
> to document the procedure.
>
> This is very unclear to me. Please elaborate on this more because i'd like to
> understand how that notary should work.
>
There is a need for an extra step before pushing content to mirrors.
That step generates the manifest on a public site and registers with
virtual-notary.
Virtual-notary retrieves the manifest from the public site, and returns a
certificate.
The manifest and the certificate and the packages listed in the manifest are
then pushed to mirrors.
I do not not enough about your mirroring process to know where/how that set of
operations should be added.
The documentation of the procedure is necessary for soliciting comments/audits
about flaws/exploits in the procedure, or to describe to an end user how to
confirm
whether a mirror has been compromised.
>
>
>
> Apologies for wordiness. Poke me on the irc meeting if you have questions.
>
> hth
>
> 73 de Jeff
>
>
_______________________________________________
OM-Cooker mailing list
[email protected]
http://ml.openmandriva.org/mailman/listinfo/om-cooker_ml.openmandriva.org
