should example bundles be signed or unsigned

[michelleN]

Following up from the convo on #29

We make the signing piece pretty easy on the backend so I think the bundles that exist in this repo should be signed by default.

There is a directory that is called bundles in this repo which just contains a bundle of bundle.json files. I think those can be unsigned examples.

What do we think ? @technosophos @tariq1890 @radu-matei

[jeremyrickard]

Should we use the same key to sign all the example bundles and bake in the public key to make all of this just kind of work for the examples?

It’s probablt also fine to say that people need to do a duffle key add or whatever in the docs, but if we are going to say they should do that it might be useful to prebake that public key into the binaries for people kicking the tires on the sample bundles.

[technosophos]

We could prebake a public key into the binary, but it could turn into a security liability if that one key was ever compromised.

[carolynvs]

I think what Jeremy was suggesting is that only the public key is distributed with duffle. We would keep a private key (within our team) just for signing our demos/examples, so that they can all be signed, without worrying about how to distribute the public key for verification.

Since we are only distributing the public key, then there's no worry about compromising it.

People would still be on their own for coming up with a keypair for signing their own things.

[jeremyrickard]

@technosophos is right, if our private key got compromised, then people could use it and duffle implicitly trusts anything signed by that. So baking it it, probably not right.

I still think that we should sign the examples though. Default duffle behavior is things are expected to be signed. If we immediately turn around and for all the examples say "run the not recommended insecure way" that seems to be confusing the message.