Replies: 2 comments
-
The huge list of gpg packages is a bit misleading since gawk is pulling in most of them, which is just a build dep. Maybe another consideration is whether it even builds on windows? |
Beta Was this translation helpful? Give feedback.
-
Let me point out some more issues I see with GPG:
|
Beta Was this translation helpful? Give feedback.
-
Overview of the issue
Since binary repositories will presumably increase in importance in the Spack ecosystem, it becomes essential that verifying signatures poses the least requirements possible to avoid complicating the bootstrapping procedure.
Binaries are currently signed and verified using PGP (more specifically
gnupg
) but this software is quite complex and has many dependencies. To reduce the requirements on the side of verification the following strategies are being investigated:gnugp
that reduces as much as possible dependencies and requirements, but still works for SpackFacts to be considered
ssl
module, which is an interface to some SSL/TLS native library (OpenSSL on linux)python
is available theopenssl
or similar command line tools are availablelibssl
andlibcrypto
, and those libraries are usually packaged separately from both the command line tools and the development headersopenssl
is available as a command line tool it should be possible to directly create a key pair in PEM format to sign and verify a filessl
standard Python module may not be impossible, but requires to go through an X.509 certificate while we are interested only in the associated private/public key pairTools that can be used to sign and verify binaries
The following shows how to create a key pair, sign and verify a file with different tools. It also shows the complexity of the spec as concretized by Spack.
GnuPG
GnuPG is the tool we currently use for signing and verifying binary caches. The downside of it is that it has a lot of dependencies, so it's difficult to bootstrap if not already present in the system:
This is an example that shows how to generate a key, sign and verify a file:
Minisign
Minisign is a simple tool to sign files and verify signatures. It can complement OpenPGP in Spack to sign binaries. The package:
The dependency on libsodium can be made a pure build dependency if libsodium is compiled statically. This would be fine from the modeling perspective since
minisign
just provides a command line tools and no other libraries that could be reused in upstream projects. Here are a few considerations on the security of the Ed25519 algorithm.This is an example that shows how to generate a key, sign and verify a file:
OpenSSL
OpenSSL is a tool that is broadly available on clusters:
Its cryptography layer can be used to sign and verify files:
Converting keys
There are a few articles that explain how to convert key pairs to different formats. An interesting project is monkeysphere which provides commandline tools like
openpgp2pem
oropenpgp2ssh
. It may be complicated though to match the algorithms among tools.Python modules to sign/verify files
There are a few Python modules to help signing and verifying files, but they all have dependencies on cryptography which in turn imposes a dependency on clients to have a Rust compiler installed. This defeats the purpose of simplyfying the bootstrapping method for
pgp
.A pure python implementation of some ECDSA algorithms can be found in the ecdsa package but it is NOT meant to be a secure implementation and they point users back to
cryptography
in case a secure implementation is needed.Beta Was this translation helpful? Give feedback.
All reactions