Sam Gentle
8/7/2006 1:30:00 PM
On 8/7/06, Trans <transfire@gmail.com> wrote:
> Sam Gentle wrote:
> > On 8/6/06, Trans <transfire@gmail.com> wrote:
> > > Mat Schaffer wrote:
> > > > On Aug 3, 2006, at 1:05 PM, transfire@gmail.com wrote:
> > > > I think this would make a really nice gem. I love the idea! Maybe a
> > > > future revision could take a regular md5sum output file?
> > >
> > > I'll work on that. Also, someone else wrote me and suggested sha256
> > > instead of md5 for greater security -- good idea. I'm not sure how to
> > > generate the equivalent sha256 output file on my ubuntu box though, all
> > > I see is sha1sum.
> >
> > I'd imagine your best bet here would be to use RSA or something
> > similar for signing. That way you'd just have to include a public key
> > in your remote_source definition and have the author of the module
> > provide signatures for each file. You could have different versions
> > with no troubles, provided they were appropriately signed.
>
> I'm not as sure, albeit I'm not experienced enough to to certain. Could
> you eleborate on how it would work? When you say signitures for each
> file what are we takling about exactly?
Well, essentially the way it works is the author of a module would
generate a public/private key pair, distribute the public key, and use
the private key to encrypt hashes of their modules (ie. sign them).
Anyone with a copy of the public key could then verify that those
modules were signed by the same private key (made by the same person,
essentially...)
The idea being that for each file the author also makes available a
signature file (or even includes them in the script itself, although
that'd be a bit more complex), and the script uses those signatures to
verify.
If you have access to a copy of openssl, you can play around with this:
$ openssl genrsa > key.priv
$ openssl rsa -pubout <key.priv >key.pub
writing RSA key
$ echo "hello world" > myfile.txt
$ openssl dgst -sha1 -sign key.priv <myfile.txt >myfile.sig
$ openssl dgst -sha1 -verify key.pub -signature myfile.sig <myfile.txt
Verified OK
There's one major problem, however: it won't protect against the
author(s) going crazy and adding backdoors after you've trusted them,
or having their private keys stolen by sneaky attackers. It does,
however, mean that you don't have to worry about updating for new
versions.
Sam