[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53901] [PATCH] publish: Sign only normative narinfo fields.
|
From: |
pukkamustard |
|
Subject: |
[bug#53901] [PATCH] publish: Sign only normative narinfo fields. |
|
Date: |
Thu, 10 Feb 2022 09:00:12 +0000 |
Ludovic Courtès <ludo@gnu.org> writes:
> This will allow mirror operators to alter the non-normative bits of a
> narinfo, such as nar URLs and compression methods, without requiring
> them to resign narinfos.
>
> [...]
>
> Thoughts?
Sounds good to me.
Maybe we can take the opportunity to do some cleanup?
For example: We could get rid of the narinfo-contents field as we only
sign the fixed normative fields (in a strict order). This would also
allow us to remove the verify-everything-above-signature logic.
I recently tripped over the narinfo verification logic
(https://issues.guix.gnu.org/52555#43) and think the changes you propose
plus the simplifications above should make this security-critical code a
bit easier to understand.
-pukkamustard