On 29/8/23 22:20, Max Gautier wrote:
On Tue, Aug 29, 2023 at 12:15:10AM +1000, Allan McRae wrote:
However, I am not convinced that repos using a mixture of GPG and openssh
signatures should not be supported. See below.
I assume the last not was extraneous right ? Given the rest.
Signature type detection would be interesting, but I see it being
brittle/complex if/when alternative signing methods get added.
As far as I can tell, the signature formats of minisign and signify are
quite close (signify can verify minisign signatures, but not the other
way around[1]) and include the following header:
untrusted comment: <arbitrary text>
Which could be used to distinguish types. Both SSH and GPG also have a
header.
Of course that header is necessarily untrusted, so every signature
verification method should independently verify the signature structure
without ever relying on the detected type.
Having a single configurable signing method per repo removes the need to
even deal with this.
[...]
Overall, I am happy for this idea to move forward. My suspicion is that
some initial refactoring may be needed to ease the addition of new signature
formats. Without looking in detail, I suspect doing that would be a good
place to start.
Allan
Great !
I'm going to take a look at the codebase and see what I can come up
with.
Given the discussion, I'll first focus on implementing support for
configuring the signature method globally/per repo + the openssh
signature format (and refactoring, if indeed needed).
Signature type detection and "mixed signature method" repos if we
eventually go that way can be added later on.
Thanks
[1]: https://github.com/jedisct1/minisign/issues/59#issuecomment-654809237
It has been a while, but I have opened an issue in our gitlab to track this:
https://gitlab.archlinux.org/pacman/pacman/-/issues/67
