-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin hook to verify rpms #398
Comments
(edit: add hash-algorithm and hash as input for hook) |
Well, rebuilders may attest this by signing their metadata. In this case strong digests within the signed metadata secure the contained packages. We're about to provide a similar hook, but for externally verifying the repo metadata themselves. ATM this seems to be the more efficient and reasonable approach, so we focus on this. A package based approach is doable, but currently has no priority for the team. |
yes i also think this is at the wrong place of abstraction layers to do it at libzypp level. |
My proposed requirements for a hook also allow for verifying the repo metadata as a whole. Compared to a hook that also allows to verify a subset of packages because it has the information which package are going to be used this has the following consequences:
Thus, while just the hook would be much simpler the over all complexity is much bigger. It also induces additional requirements. And you can also not have a partial success. But if we really give enough people the time to work on this as their highest priority task, then I can live with it.
What is the right place? What is wrong with doing it in libzypp? |
For end-to-end supply chain integrity before a download returns as successful, zypper should verify that some rebuilders attested with their signature that they could reproduce the to be downloaded rpms.
As the transport and format are not settled, my idea was to use a plugin hook, so that zypper does not need to be released for trying different implementations. AFAIK none of the currently available hooks work for this. As the transport could be complex like Certificate Transparency the plugin must take on the task of downloading the necessary signatures. As verification could be complex (like in in-toto-verify) verification and its configuration must be the task of the plugin.
Detached signature support in rpm is a related feature request of rpm. Until that is supported, a temporary copy of the rpm with the original signature replaced with the reproducer signature could be used to verify.
Requirements for the hook:
The configuration of the implemented plugin will likely have (though there are more complex configurations that make sense)
The text was updated successfully, but these errors were encountered: