gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

From: Thomas Zander
Subject: Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch
Date: Mon, 8 Dec 2003 18:01:51 +0100
User-agent: KMail/1.5.4 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 08 December 2003 17:49, Tom Lord wrote:
>  1) Can signing be made an essential property of all (present and
>     future) arch archives, including "smart server" archives and
>     the like?
>   2) Can signing be made an implicit property, essentially hidden
>      from the bulk of the code in arch, of all existing "dumb-fs"
>      arch archive implementations?
...
> To satisfy the immediate needs of Savannah, the FSF, and really the
> free software community generally, I'm looking for an answer to
> question (2).

*nod*

> For question (2), signing the actual tar bundles seems
> like a pragmatic choice.  The trick is to do (2) without hosing the
> architecture of arch (by leaking knowledge of signing into too much
> of the internal interfaces of libarch).

Right, this basically means that to satisfy (2) in a short timespan you will 
ignore (1) for now.
As you know I am not deeply knowledgable on the structures tla has. So allow 
me to show the solution I think is going to satisfy (1) and (2), and I'll 
let you be the judge if it can be done.

The solution I proposed has an extra entry somewhere in the compressed tar 
that is the generated signature of the rest of the tar.
It is likely to be the last file in the tar, and likely to be a standard 
length (which is nice to know when you use streaming protocols).

The way it works is that you create a tar (via make_tmp_tar_archive() for 
example) and print the output to stdOut. You split that stream to run it 
through a gzip and through gpg at the same time.
When tar is done you take the output from gpg and add that to the tar/gzip 
stream as well.
And you have a tar/gz that is signed.

With shell its not so easy; but it can be used to illustrate the point, so 
please remember that this can be done better and with less overhead from 
the examples I show here.

tar c myDir |  tee tmpFile1  | gpg --yes -bao ++sig
tar rf tmpFile1 ++sig
gzip tmpFile1

The only _if_ I see is that tla should not bark over a file being added to 
that tar, I hope that won't be a problem.

- -- 
Thomas Zander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/1K6ACojCW6H2z/QRAjfuAKCKURv1u3CTQy5tV1pxfxdzchW9IwCg9dty
u+wx41iNbKrr712eSw66cVw=
=PG+H
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]