[ocaml-platform] OPAM: signing the repository

Hannes Mehnert hannes at mehnert.org
Fri Jun 5 13:57:55 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On 06/05/2015 13:46, David Sheets wrote:
> Ok. If I understand you correctly, modification of a key will
> require resigning all non-malicious objects that used to be signed
> by the old version of the key?


Yep.


>> It will be generated once, all the things will be signed, and
>> then purged from its existence.
> 
> So the public initial-bootstrap key will be baked into opam like
> the root key? Will there be any safeguard against later re-use of
> the "purged" key? Maybe the snapshot bot could check that the 
> initial-bootstrap key is only ever used before a specific commit?


The initial bootstrap key will be a special entry in the root file.
Making it valid only before a specific commit sounds like a good idea.


> So the file keys/dev/user at host will contain triples like: [ [
> "user at host" "algo" "key" ] [ "user at host" "algo2" "key" ] ]
> 
> ? Can the pair of keyid/algo recur?


It shouldn't. Intended is to use the user at host as identifier (thus,
uniqueness). Not sure whether there is a need for a hash over the
public key (keyid).


> Is there a reason that keys/root doesn't reference the
> keyid/authorid in keys/dev? What happens if they are not
> equivalent?


For RMs, the key will just be in keys/root rather than keys/dev. But
we could also put only the user at host ids into keys/root, and have the
RM keys in keys/dev without trouble I believe.


>> Yes, we removed the not-yet-finished part about what is contained
>> in keys/authorid (and how certain parts of it are verified). We
>> want to couple them to GitHub user ids, and email addresses --
>> and have some form of automatic validation (similar to
>> keybase.io).
> 
> Cool! I look forward to that design.


First things first.. Thus, first an implementation of the opam
signing. If you have ideas/thoughts about identities, let us know :)


Hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJVcZzTAAoJELyJZYjffCjugsQP/2LA+4GagnipkbQynlZrm3EN
JgFJCYDUugOsvWlHUu8zlJBQEhFTix1szW8Jm2hNFU31gj0m6dDMPlpWOKSlBQsX
zb7sMp5tEaMdCbOk1it0heEzA4InfMVsP5sJJ/GNDW//Sgm8fKiQfci/od13aL0e
k8q9fWUT9bQD4Vyurppm0fcriGqTxR7NOFk2TdKh2idQ8n0tcMg9VFh29axyxIYZ
79QolOxduL342AfXXOEbj5zwAtIz4y7HefmlUzPYUCNM+BKEAU3+A2ElF/vNYh5w
ZaV21QVuQQ301i+vW+VrTD+stWZP+gPDH20XKz+/E1fr0BrDgGCQV6OOj55NgxXE
tRDnJBqNNloSDR+DhABbDl8vHYeJr3MX5g95h5KPT70SL5loewRYnNREw8XRS0DM
OYNnuxvYsYY9YzupEw9+j9L5t+uzjN96Ar+57CEWG/swttvki2aF5ILQ0lYgJGvq
IaChCyS0Rcyi0HabICXmgwCR/YTqARIQS+oDlbFOZU7j0L8TJheOxYjFWzrEsilH
Z64k+yC+wh99cf/VVB/6iEjW6iAA9sTd634DddRCTSiQt7DH+DA/hnnSBks/aZik
u7xoFdXcO0dQTtMIz4YIjrNFuxEj8YwvzPNGNdmVg5PbAbp6yseI9+tmXxd1CkKB
ppIun2X+B1W7OwnFkTVC
=hGXX
-----END PGP SIGNATURE-----


More information about the Platform mailing list