phive icon indicating copy to clipboard operation
phive copied to clipboard

Published 20 hours ago verified publisher icon phar-io

Add support for OpenSSL digest signatures

Open theseer opened this issue 8 years ago • 0 comments

Some projects seem to use OpenSSL digest signatures to "sign" their releases. Phive might have support this type of signature, even though is has quite some tricky parts:

  • No info which key was used to create signature A signature file does not contain any information as to what private key was used to create it. Consequently, there is no automated way to determine which accompanying public key to use to verify.

  • No info which hash algorithm was used There seems to be no reliable source of information which hash algorithm was used to create the signature. Depending on the way the signature was created, this may actually be guessable in some cases but this will not work for most cases.

  • No standard distribution format Signature files can be in binary or base64 encoded format. We would have to detect whether or not the file is base64 encoded before passing it to openssl's verify method. This could of course be implemented.

  • No standard to find or download public keys Ignoring that we do not have a means to determine which key we would need to begin with, there also seems to be no central service like there is for pgp/gpg to query for public keys. This means that this step cannot be automated.

Conclusion

If we want to add support for OpenSSL signatures, the installing user or system has to manually get and register a public key for an alias or vendor/project and also has to manually specify the hash algorithm and potentially the file format.

theseer avatar Aug 26 '17 14:08 theseer