phive
phive copied to clipboard
phar-io
Added option to skip signature verification
My use case for this is running phive in a CI pipeline. I want to be able to install PHARs without user interaction and with already known versions.
I'm not convinced I like this option. Let me try to explain:
- While in the end it of course is the user's/admin's choice, generally offering a means to do insecure things should be avoided
- The very purpose of
phiveis to download and verify the signatures before using things - It appears to me that your main reason for this change is a lack of a means to interactively confirm a key rather than really wanting to skip the verification
- If that is correct:
- For the time being, you could be using
--trust-gpg-keysand list the trusted key-ids or fingerprints - You could also keep the
~/.phivedirectory with a previously loaded gpg key ring, containing all trusted key - In the hopefully not so distant future, trusted keys can and should be configurable with phive
- For the time being, you could be using
- If that is correct:
I understand and support your position. On the other hand, I also think it is more important to leave the choice to the user.
My current solution is to add trusted keys via --trust-gpg-keys, but this isn't a long term solution. Checking in ~/.phive with already trusted keys sounds like a reasonable solution.
Anyhow, I think this flag should exist, just in case one quickly needs to test something without user interaction. I'd rather have the choice than being constrained by my tools for "security reasons".
I'd also be in for a refactoring (something along the lines of --skip-key-verification-yes-i-know-what-im-doing) and/or a warning message being emitted to draw attention to the fact that what the user is doing could be a bad idea.
@theseer Hi, I'm currently looking through my open PRs. Have you thought about it yet? :)
I'll try to work on phive in the upcoming days, so i'll give more feedback asap.