[gentoo-dev] Tree signing and verification on the user side

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] Tree signing and verification on the user side - status?
@ 2017-04-03 19:59 Andreas K. Huettel
  2017-04-04 10:03 ` Andreas K. Huettel
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas K. Huettel @ 2017-04-03 19:59 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

Hey all, 

while we're discussing super-strength hash algos, it would be cool to know 
what's still missing for
* rsync-side manifest signing in whatever way
* verification of such signatures in portage / emerge

This is the bigger problem (probably also requiring more work though)...

Cheers, 
Andreas

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] Tree signing and verification on the user side - status?
  2017-04-03 19:59 [gentoo-dev] Tree signing and verification on the user side - status? Andreas K. Huettel
@ 2017-04-04 10:03 ` Andreas K. Huettel
  2017-04-04 11:10   ` Dirkjan Ochtman
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas K. Huettel @ 2017-04-04 10:03 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

> 
> while we're discussing super-strength hash algos, it would be cool to know
> what's still missing for
> * rsync-side manifest signing in whatever way
> * verification of such signatures in portage / emerge
> 

(and just to put it in a reference frame, I'm these days reading mailing list 
discussions how cryptographic signing of our rsync tree is urgently needed...
... in the council agenda threads 
... of the very first council
... i.e., 2005
... i.e., roughly 12 years ago.)

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] Tree signing and verification on the user side - status?
  2017-04-04 10:03 ` Andreas K. Huettel
@ 2017-04-04 11:10   ` Dirkjan Ochtman
  2017-04-04 17:48     ` Kristian Fiskerstrand
  0 siblings, 1 reply; 4+ messages in thread
From: Dirkjan Ochtman @ 2017-04-04 11:10 UTC (permalink / raw
  To: Gentoo Development

On Tue, Apr 4, 2017 at 12:03 PM, Andreas K. Huettel
<dilfridge@gentoo.org> wrote:
>> while we're discussing super-strength hash algos, it would be cool to know
>> what's still missing for
>> * rsync-side manifest signing in whatever way
>> * verification of such signatures in portage / emerge
>>
>
> (and just to put it in a reference frame, I'm these days reading mailing list
> discussions how cryptographic signing of our rsync tree is urgently needed...
> ... in the council agenda threads
> ... of the very first council
> ... i.e., 2005
> ... i.e., roughly 12 years ago.)

Was thinking exactly the same thing yesterday. How do we make it
happen? Do we have any ideas on feasible paths forward?

Cheers,

Dirkjan


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] Tree signing and verification on the user side - status?
  2017-04-04 11:10   ` Dirkjan Ochtman
@ 2017-04-04 17:48     ` Kristian Fiskerstrand
  0 siblings, 0 replies; 4+ messages in thread
From: Kristian Fiskerstrand @ 2017-04-04 17:48 UTC (permalink / raw
  To: gentoo-dev



[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or un-expected send a response and request a signed confirmation]

> On 4 Apr 2017, at 12:10, Dirkjan Ochtman <djc@gentoo.org> wrote:
> 
> On Tue, Apr 4, 2017 at 12:03 PM, Andreas K. Huettel
> <dilfridge@gentoo.org> wrote:
>>> while we're discussing super-strength hash algos, it would be cool to know
>>> what's still missing for
>>> * rsync-side manifest signing in whatever way
>>> * verification of such signatures in portage / emerge
>>> 
>> 
>> (and just to put it in a reference frame, I'm these days reading mailing list
>> discussions how cryptographic signing of our rsync tree is urgently needed...
>> ... in the council agenda threads
>> ... of the very first council
>> ... i.e., 2005
>> ... i.e., roughly 12 years ago.)
> 
> Was thinking exactly the same thing yesterday. How do we make it
> happen? Do we have any ideas on feasible paths forward?

After having been through two GSoCs , the meta-manifest code is written, gkeys is in testing stage for key management etc

iirc (taken from memory, can include faulty info) waiting on (i) infra generation of key material on airgapped system with appropriate signing subkey to use for online server (ii) code to do signing on rsync staging area (which is mostly written) on aforementioned subkey (ii) testing of the aforementioned code before rollout

it is coordinated by Gentoo Keys project so questions should really be directed there (gkeys@) 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-04-04 17:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-03 19:59 [gentoo-dev] Tree signing and verification on the user side - status? Andreas K. Huettel
2017-04-04 10:03 ` Andreas K. Huettel
2017-04-04 11:10   ` Dirkjan Ochtman
2017-04-04 17:48     ` Kristian Fiskerstrand

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox