1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
* Add tests for no matched IDs.
* Add tests for weak algorithms in keys.
* Add tests for key expiry.
* Add tests for optional, reject selections/verification policies.
* Add tests for failing required verifications.
* Add tests for multiple UIDs or keys, need fixes in code.
* Update comments in example policies.
* Objectives of the redesign:
- Make it possible to implement in dpkg-deb (for signing and verification)
so all usual essential package restrictions apply.
- Make it possible to use only SOP/SOPV (remove all introspection of
OpenPGP object that require GnuPG specific interfaces).
- Make it extensible to other signature formats or workflows.
- Make it possible and acceptable for uploads to the Debian archive (even
if this ends up being not allowed, for example due to reproducibility
concerns).
* Redesign format:
- Should be stored in a sigs.tar ar member, to avoid unbounded amount of
new ar members, depending on the roles.
- Should be able to add other origin signatures types to be future-proof.
Namespace the contents within sigs.tar with openpgp/ so that perhaps
other signatures can be added there, such as secure-boot, or IMA.
- Should sign entire thing up to the sigs.tar member, no need to extract
and concat.
- Should end up with the signatures installed into the dpkg db (under a
new /var/lib/dpkg/sigs directory), for later retrieval. For example
for reproducible .debs, to be able to dpkg-repack them.
* Redesign policies:
- Do not require XML (to avoid pulling new packages into the essential set).
- Do not require OpenPGP object introspection for signatures and keys (to
simplify the verification process and be able to use SOP/SOPV/sq/sqv).
- Use a keyring-centric workflow for simple verification, which has been
proven to work fine and be enough for distributions on archive-based
signing strategies.
+ Use the origin name as entry point, and either a fixed keyring name
or the role names to refer to keyrings.
+ Drop support for optional/required/reject policy actions.
+ No apparent need to be able to also pin a certificate to a specific
package in addition to an origin.
+ Unclear whether to keep «roles», for now leaning towards keeping them,
as they could be dropped in the future easily.
- Use filesystem as policy declaration. For example:
<policy-dir>/keyrings/debian/origin.pgp
<policy-dir>/keyrings/debian/role-maint.pgp
<policy-dir>/keyrings/debian/role-uploader.pgp
<policy-dir>/keyrings/debian/role-builder.pgp
* Given that GnuPG has opted out from the OpenPGP specification and will
not be adopting new revisions (including the current one, RFC9580),
we should be moving away from any reliance on it. The redesign work
mentioned above, is one of the pre-requisites for this.
* Figure out how to integrate this more tightly with the package tools
(apt, dpkg etc..).
- Move all .deb format handling into libdpkg.
- Merge into dpkg-deb, once the only dependency is sopv/sqv (and perhaps
gpgv for portability, or perhaps rnp).
* Add some more info to the verbose output.
STATUS: in progress
* Obviously this needs more code auditing.
- The code uses static buffers and length constrained functions (snprintf,
strncmp) where ever possible, but in some cases it might make sense to
switch them to dynamically allocated buffers instead.
* I18n and l10n.
|
