[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff
From: |
Tom Lord |
Subject: |
[Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff |
Date: |
Thu, 25 Dec 2003 14:05:24 -0800 (PST) |
There's more to do but I've munged Robert Collins' gpg hacks to my
satisfaction and they're now available in the latest tla--devo--1.2.
Early testing/review before I turn this into a 1.2preX release will be
appreciated.
* HOWTO fragment (eventually will say more)
Arch can optionally arrange to have the contents of an archive be
signed by each user who creates revisions there. This can be used
to detect cases where the contents of an archive have been modified
by someone other than the person who created the revision (by
import, commit, tag, cacherev, or archive-mirror). Within the next
few days or weeks, this capability will be expanded into a full
facility by means of which project hosts can rapidly and reliably
validate their source control archives after an intrusion detection
-- and a facility by means of which intruders who attempt to modify
archives can be proactively detected.
Additionally, _all_ archives will now begin containing checksum
files which can be used to help detect media failures effecting the
contents of archives.
Briefly, each revision directory in an archive now contains a
`checksum' file. That file contains the full name of the revision
along with an md5 checksum for each file comprising the revision.
In a signed archive, the checksum file can be signed (for example by
"gpg --clearsign").
If a revision is "archive cached", then the revision directory will
also contain a `checksum.cacherev' file containing the full name of
the revision and an md5 checksum for the tar bundle of the cached
revision. In a signed archive, that file too can be clearsigned.
* Making an archive a Signed Archive
A new archive can be made a signed archive by passing the
--signed option to `make-archive'. Existing archives can be
converted to a signed archive by creating the file
`=meta-info/signed-archive' in the archive directory.
Note: if you convert an existing archive to a signed archive, at
this time, only new revisions will be signed. There is no facility
yet for retroactively signing old revisions of existing archives.
* Constructing Signatures
When you import, commit, tag, cacherev, or archive-mirror to a
signed archive, arch will sign the `checksum' and
`checksum.cacherev' files using a user-configurable rule.
You should create one of two files. Either:
~/.arch-params/signing/$ARCHIVE
(where $ARCHIVE is the archive name) to create a rule that applies
only to a specific archive, or:
~/.arch-params/signing/=default
to create a default rule for signing revisions to any signed archive
for which no archive-specific rule is provided.
Those files should contain a shell command, suitable for use with
the "system(3)" libc function. The shell command should read a
message on stdin, and write a signed copy of the message to stdout.
Sample contents of such files are:
gpg --clearsign
(You will likely be prompted for a passphrase.) If you use
quintuple-agent or the agent facility of recent versions of gpg, you
might use something like:
agpg --clearsign
-t
- [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff,
Tom Lord <=
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Miles Bader, 2003/12/25
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/25
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, James Blackwell, 2003/12/25
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/25
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Miles Bader, 2003/12/25
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/25
- [Gnu-arch-users] Re: tla--devo--1.2 has preliminary gpg stuff, Miles Bader, 2003/12/25
- Re: [Gnu-arch-users] Re: tla--devo--1.2 has preliminary gpg stuff, Thomas Zander, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/26
- Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Miles Bader, 2003/12/25