freebsd-skq/usr.sbin/pkg_install/sign
Alfred Perlstein f7bb25f702 replace __FUNCTION__ with standardized __func__.
Requested by: jhb
2002-05-11 04:17:55 +00:00
..
check.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
common.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
extern.h Style policy: reformat multiline comments to conform to style(9). 2001-05-17 10:12:45 +00:00
gzip.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
gzip.h Style policy: reformat multiline comments to conform to style(9). 2001-05-17 10:12:45 +00:00
main.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
Makefile Perform a major cleanup of the usr.sbin Makefiles. 2001-07-20 06:20:32 +00:00
pgp_check.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
pgp_sign.c replace __FUNCTION__ with standardized __func__. 2002-05-11 04:17:55 +00:00
pgp.h
pkg_sign.1 Use `The .Nm utility' 2002-04-20 12:27:18 +00:00
README
sha1.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
sign.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
stand.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00
stand.h
x509.c Fix SCM ID's. 2002-04-01 09:39:07 +00:00

To sign packages in a transparent way:
gzip files can handle an extra field at the beginning that
stores anything we wish.

So it's just a question to choose a format for the signature, and to
embed it there.

We use the extra field to store signatures.  Each signature consists
of a 6 bytes type marker, a 2 bytes length, followed by the signature
itself.  We can potentially stack signatures: resign a signed archive
by just prepending the new signature to the extra field.

To check the first signature, the checker just needs to extract it, pass it
off to the checking protocol (e.g. PGP), followed by the unsigned archive
(e.g., regenerate the gzip header  without the first signature, then put
the gzip data).

* Signed archives just look like normal .tar.gz files, except for programs
that use the extra field for their own purpose,
* Possibility to grab the files off the net and extract stuff/verify
signatures on the fly (just need to wedge the checker as an intermediate
pipe)
* Pretty simple, small portable code to be able to check signatures
everywhere (the signer itself needs getpass and corresponding functionality)

The scheme should be extensible to any compressed format which allows for
extended headers.


Thanks to Angelos D. Keromytis for pointing out I did not need to
uncompress the archive to sign it, and to other members of the OpenBSD
project for various reasons.

--
	Marc Espie, 1999
	$OpenBSD: README,v 1.2 1999/10/04 21:46:27 espie Exp $

--

X.509 notes:

I added the ability to sign a package with an X.509 key, and to check
against a stack of X.509 certificates.  This allows a "vendor" to
distribute a system with one or more certificates pre-installed, and
to add certificates in a signed package by appending them to the
default certficiate stack.

The X.509 signatures are stored in the gzip header in the same manner
as other signatures.  This is known to compile against OpenSSL
libraries on OpenBSD 2.7 and FreeBSD 5.0, your mileage may vary.

--

	Wes Peters, Dec 2000
	$FreeBSD$