all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* convenient digital signing for el files and snippets
@ 2011-03-09  6:12 Joseph Gay
  2011-03-09 15:33 ` Ted Zlatanov
  0 siblings, 1 reply; 4+ messages in thread
From: Joseph Gay @ 2011-03-09  6:12 UTC (permalink / raw)
  To: emacs-devel

Hi,

I noticed a recent discussion regarding trust with emacswiki et al, and
I have a half-baked idea for increasing user convenience. I'm posting
here for help in gauging viability and usefulness or lack thereof.

In short, add an Emacs command/function to sign an elisp file or snippet
with a comment indicating the signer and signature, and another
command/function to verify the signature.

Usage scenario:

With something like el-get or autoinstall, it is easy to
update a large library or module from emacswiki or other public URI.
However, it is always advisable to check the diff prior to updating
since it is hard to be sure who made what changes.

However, if the file was signed, and contained the signature, it would
be trivial to see whether the signature is valid using a trusted public
key, and let the user know if not and then decide what to do (look at a
diff, look up the key, view changelogs, etc.).

Convenience comes from knowing when a file or snippet is modified by
someone you trust, and thus not having to scan through myriad diffs and
look for possible problems.

Technical details:

Sign a sha1 hash of the file or snippet contents with any existing
signature information removed. Signature for a file is a comment before
the ;;; <file>.el ends here line like ;; Signed <email> <signature>. A
signature for a snippet starts ;;; snip <description> and ends with the
signature line. In this fashion, it should be possible to have a file
containing multiple signed snippets as well as a signed file. The Emacs
command would take care of signing with the user's preferred key and
adding the required comment lines.

There would be one signature (if any), per snippet or file, simply
indicating the last person claiming to be responsible for a particular
sha1. If that person is trusted, and the sha1 matches, all is well. This
is not applicable to git controlled files as git already provides a sha1
for the entire repo and allows annotated tags to be signed.

I'd be happy to implement this functionality if it could work. Any
thoughts?




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-03-09 17:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-09  6:12 convenient digital signing for el files and snippets Joseph Gay
2011-03-09 15:33 ` Ted Zlatanov
2011-03-09 16:27   ` Joseph Gay
2011-03-09 17:43     ` Ted Zlatanov

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.