* convenient digital signing for el files and snippets
@ 2011-03-09 6:12 Joseph Gay
2011-03-09 15:33 ` Ted Zlatanov
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Gay @ 2011-03-09 6:12 UTC (permalink / raw)
To: emacs-devel
Hi,
I noticed a recent discussion regarding trust with emacswiki et al, and
I have a half-baked idea for increasing user convenience. I'm posting
here for help in gauging viability and usefulness or lack thereof.
In short, add an Emacs command/function to sign an elisp file or snippet
with a comment indicating the signer and signature, and another
command/function to verify the signature.
Usage scenario:
With something like el-get or autoinstall, it is easy to
update a large library or module from emacswiki or other public URI.
However, it is always advisable to check the diff prior to updating
since it is hard to be sure who made what changes.
However, if the file was signed, and contained the signature, it would
be trivial to see whether the signature is valid using a trusted public
key, and let the user know if not and then decide what to do (look at a
diff, look up the key, view changelogs, etc.).
Convenience comes from knowing when a file or snippet is modified by
someone you trust, and thus not having to scan through myriad diffs and
look for possible problems.
Technical details:
Sign a sha1 hash of the file or snippet contents with any existing
signature information removed. Signature for a file is a comment before
the ;;; <file>.el ends here line like ;; Signed <email> <signature>. A
signature for a snippet starts ;;; snip <description> and ends with the
signature line. In this fashion, it should be possible to have a file
containing multiple signed snippets as well as a signed file. The Emacs
command would take care of signing with the user's preferred key and
adding the required comment lines.
There would be one signature (if any), per snippet or file, simply
indicating the last person claiming to be responsible for a particular
sha1. If that person is trusted, and the sha1 matches, all is well. This
is not applicable to git controlled files as git already provides a sha1
for the entire repo and allows annotated tags to be signed.
I'd be happy to implement this functionality if it could work. Any
thoughts?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: convenient digital signing for el files and snippets
2011-03-09 6:12 convenient digital signing for el files and snippets Joseph Gay
@ 2011-03-09 15:33 ` Ted Zlatanov
2011-03-09 16:27 ` Joseph Gay
0 siblings, 1 reply; 4+ messages in thread
From: Ted Zlatanov @ 2011-03-09 15:33 UTC (permalink / raw)
To: emacs-devel
On Wed, 09 Mar 2011 00:12:13 -0600 Joseph Gay <gilleylen@gmail.com> wrote:
JG> In short, add an Emacs command/function to sign an elisp file or snippet
JG> with a comment indicating the signer and signature, and another
JG> command/function to verify the signature.
I think it's better to sign a package than individual files:
- the package manager can do the verification at install time (once)
- there's already a packaging process which can easily have the extra
signing step, and packages have metadata we can use
- signing a package would cover all the files, not just Emacs Lisp
files, and would be done just once per package
- the Emacs Lisp code doesn't have to be polluted by the signing info
- older and legacy code doesn't have to be modified to be signed
So I think it's good to have the support you mentioned but for
package.el instead of at the Emacs Lisp code level.
Ted
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: convenient digital signing for el files and snippets
2011-03-09 15:33 ` Ted Zlatanov
@ 2011-03-09 16:27 ` Joseph Gay
2011-03-09 17:43 ` Ted Zlatanov
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Gay @ 2011-03-09 16:27 UTC (permalink / raw)
To: emacs-devel
>Ted Zlatanov <tzz@lifelogs.com> writes:
>
> I think it's better to sign a package than individual files:
> - the package manager can do the verification at install time (once)
>
> - there's already a packaging process which can easily have the extra
> signing step, and packages have metadata we can use
>
> - signing a package would cover all the files, not just Emacs Lisp
> files, and would be done just once per package
The file-by-file method is not intended to be ubiquitous. I agree
that for controlled packages, signing at the package level is good.
> - the Emacs Lisp code doesn't have to be polluted by the signing info
For packages and multi-file projects, this is sensible, though I don't
think the pollution factor is too bad:
e.g.
--8<---------------cut here---------------start------------->8---
;;; el-signed by Joseph Gay <gilleylen@gmail.com> :chars 6350
;; -----BEGIN PGP SIGNATURE-----
;; Version: GnuPG v1.4.10 (GNU/Linux)
;; iQEcBAABAgAGBQJNd6afAAoJEHcwDyjz7GfnJ1UIALfxJ6nBRQKxlJybtfX1FgkX
;; ZdLdY87eMoHbpffjHPkklzh2rpW5mLUwdhk1HIdiNMvO50v3xx4kGF8BBdBI1bfP
;; HbibsQzjtKe2Rw9gzjApwurraWbBEmVPP/yRXrPE7ORN0B1Hx/Md+ae4WHzq4Nsg
;; Gy21szGsMM4+X3qVhLB+n8qc6/OT4th/qKZGs+BEEe+uX1d7BdKoZBeDv9Be8t7p
;; QWjS5bGs9+6ghqWdbdkxqXW3r0QL5dqBnjUmV/0ZMXJaryuar35woFRRUVfbk01t
;; 13vHlvbOIGPFvE6lWWIhVWum//TpiMkp6d2s3Bx/jakEW9oo6vMAmu0cDWyx07A=
;; =tvGq
;; -----END PGP SIGNATURE-----
;;; el-sign.el ends here
--8<---------------cut here---------------end--------------->8---
> - older and legacy code doesn't have to be modified to be signed
My concern is the quantity of code on EmacsWiki plus the number of
people still using it. Perhaps this could be a stopgap approach until
ELPA takes over.
This wouldn't affect unsigned code. It would be treated the same as it
is now. Only for things that are signed would there be any potential
benefit (assurance that the signature is trusted and validated).
I have some working code now, so I will look into what it would take to
implement a mechanism for ELPA, assuming that's not already in the
works.
Thanks for your input.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: convenient digital signing for el files and snippets
2011-03-09 16:27 ` Joseph Gay
@ 2011-03-09 17:43 ` Ted Zlatanov
0 siblings, 0 replies; 4+ messages in thread
From: Ted Zlatanov @ 2011-03-09 17:43 UTC (permalink / raw)
To: emacs-devel
On Wed, 09 Mar 2011 10:27:14 -0600 Joseph Gay <gilleylen@gmail.com> wrote:
>> - older and legacy code doesn't have to be modified to be signed
JG> This wouldn't affect unsigned code. It would be treated the same as it
JG> is now. Only for things that are signed would there be any potential
JG> benefit (assurance that the signature is trusted and validated).
Right. So what could make the hundreds of EmacsWiki contributors add
this extra code to their source? And what benefit is it to the end
user? EmacsWiki is already open to editing, so what prevents an
uploader from signing malicious code?
JG> I have some working code now, so I will look into what it would take to
JG> implement a mechanism for ELPA, assuming that's not already in the
JG> works.
I'm not aware of it; the TODO list is at the beginning of package.el.
If you write this I'll be glad to test it.
Ted
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-03-09 17:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-03-09 6:12 convenient digital signing for el files and snippets Joseph Gay
2011-03-09 15:33 ` Ted Zlatanov
2011-03-09 16:27 ` Joseph Gay
2011-03-09 17:43 ` Ted Zlatanov
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).