Date: Tue, 24 Mar 1998 16:58:46 +0100 From: Eivind Eklund <eivind@yes.no> To: Derek Flowers <djflow@portwwwbus.tc.cc.va.us>, Wes Peters - Softweyr LLC <softweyr@xmission.com> Cc: software@kew.com, stable@FreeBSD.ORG Subject: Re: Binary package updates, etc. Message-ID: <19980324165846.10465@follo.net> In-Reply-To: <Pine.BSF.3.96.980323233422.14462A-100000@portwwwbus.tc.cc.va.us>; from Derek Flowers on Tue, Mar 24, 1998 at 12:08:40AM -0500 References: <199803232209.PAA27779@xmission.xmission.com> <Pine.BSF.3.96.980323233422.14462A-100000@portwwwbus.tc.cc.va.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 24, 1998 at 12:08:40AM -0500, Derek Flowers wrote: > > o How do we authenticate the packages so we can be sure we're not > > installing the new FreeBSD kernel virus from Chaos? > > > > The JAR signing mechanism mentioned by Eivind sounds like a great > > methodology, if package users are not required to install the JDK. If > > packages creators have to install the JDK in order to build the > > signature, that should be acceptable. > > Not too familiar with the JAR signing mechanism, but we need to be careful > of ITAR regulations. I believe GNU is doing some work on a PGP work-alike > that is available outside the U.S., it may be useful here. The JAR manifests do not force a particular signing methodology. The standard mention PGP, x509 and DSS (aka DSA) as viable signing methods. The standard determine how checksums etc should stored, to allow multiple signing methods, multiple signatures on a single package, packages that are partially signed, and packages that have different parts signed by different parties. It looks very nice, though there are some loose details in the spec. E.g - it talks about MD5ing entries in a text file, but it does not talk about how to decide what is the start and end of an entry. References: http://www.javasoft.com/products/jdk/1.2/docs/guide/jar/manifest.html http://java.sun.com:81/security/usingJavakey.html My intention is to use libeay (aka libcrypto) to verify the signatures; it have taken care of the export restrictions. Using it would mean packages would have their signatures checked if it was installed, and would emit large warnings if it wasn't installed. This should of course be dynmaically linked, the same way libalias is with IIJ-PPP. It should also be possible to use libcrypto to verify PGP signatures; if I've understood correctly, PGP can link against it to get hold of all crypto bits, making it possible to export a crypto-free PGP. A neat addition would be to use libcrypto if installed, with a fallback to PGP, with a fallback to no verification. This would use the best signing possible WRT the normally installed tools. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980324165846.10465>