Actually, bug 16857 already covers this RFE :)
Brock
On 01/28/11 02:10 PM, Danek Duvall wrote:
Brock Pytlik wrote:
I think these changes constitute an incompatible API update.
Could you explain why? As far as I'm aware, there's no impact across
the api boundary.
Well, you're adding new exceptions, so that's a change, though compatible.
But you're also making incompatible changes in client/publisher.py, which
has the following comment at the top:
# NOTE: Any changes to this file are considered a change in client api
# interfaces and must be fully documented in doc/client_api_versions.txt
# if they are visible changes to the public interfaces provided.
Shawn put that comment in when he added the file, so I have no reason to
believe otherwise.
t_pkgsign.py:
- test_inappropriate_use_of_code_signing_cert(): I can't say I'm
following this all that well, but are you using the wrong type of cert
to sign a package? If so, then why aren't we detecting a problem when
we sign the package, rather than waiting until we install it?
In this case, I'm using a code signing certificate (ie, a leaf
certificate) to sign another leaf certificate. In other words, this
is a problem in the certificate chain that exists when we sign the
package, but not in the certificate we're using to sign the package.
In theory, pkgsign could possibly verify this, but doesn't currently.
Okay; I thought that might have been the case, but was having trouble
following the intertwining of the keys and the code logic. It would be
nice to catch this problem at signing time, and not just on install -- the
sooner a problem is caught, the cheaper it is to fix, and the time when we
sign is a good chokepoint for finding these problems, as not all packages
may get installed during testing.
The situation you describe is the other test,
inappropriate_use_of_cert_signing_cert. In that case, pkgsign could
check the single cert being used to sign the package. However, even
if we did that, I think we'd still need to check it on the client
side, both to be in compliance with the relevant rfc and because (in
theory), a package could have a signature action without pkgsign ever
being used.
Yes, absolutely. I think it would be useful to check at signing time, too,
though, for the same reasons as above. For now, an RFE.
Thanks,
Danek
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
