Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend OpenPGP signing support with Stateless OpenPGP #3042

Open
dvzrv opened this issue Sep 18, 2024 · 0 comments
Open

Extend OpenPGP signing support with Stateless OpenPGP #3042

dvzrv opened this issue Sep 18, 2024 · 0 comments
Labels
RFE

Comments

@dvzrv
Copy link
Contributor

dvzrv commented Sep 18, 2024
edited
Loading

mkosi commit the issue has been seen with

baab5c5

Used host distribution

Arch Linux

Used target distribution

Arch Linux

Linux kernel version used

6.10.10-arch1-1

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

Currently it is only possible to sign the SHA256SUMS file using gpg.
However, gnupg is a complex thing to get working properly (see #3040) and also starts to diverge from OpenPGP compatibility in >=2.4.

Better, more simple (and stateless) alternatives for the "sign an artifact" use-case exist with Stateless OpenPGP (SOP). With rsop we even have a SOP implementation with smartcard support!

To that end, it would be great to extend the signing capabilities in mkosi by allowing to set a specific OpenPGP implementation (e.g. using an OpenPGPTool / --openpgp-tool option in the [Validation] section).
The Key option would then need to support setting either an OpenPGP fingerprint (in the case of gpg) or a path to a key (or certificate) in the case of SOP implementations.

Additionally, it would be good to rename the currently used options in the [Validation] section: Sign to OpenPGPSign and Key to OpenPGPKey (that way one could use several signing schemes in parallel, e.g. the ones discussed in #624).

Closing, I would like to add, that .gpg is not a good signature suffix for OpenPGP signatures (e.g. .sig might be better as it is not OpenPGP implementation specific and indicates that it is a signature and not possibly a certificate or a keyring, etc.), but I guess that is currently somewhat fixed due to how sysupdate.d expects it. 🥲

Used mkosi config

[Output]
Format=disk
SplitArtifacts=yes

[Content]
Bootable=yes
Bootloader=systemd-boot
Hostname=arch
Packages=
	base
	linux
	nftables
	openssh
	systemd
UnifiedKernelImageFormat=%i-%v+&c
UnifiedKernelImages=yes

[Distribution]
Architecture=x86-64
Distribution=arch

[Host]
RuntimeScratch=no
RuntimeSize=12G

[Validation]
Checksum=yes
Key=<my-key-fingerprint>
Sign=yes

mkosi output

‣  Signing SHA256SUMS…
gpg: using "991F6E3F0765CF6295888586139B09DA5BF0D338" as default secret key for signing
@dvzrv dvzrv added the bug label Sep 18, 2024
@DaanDeMeyer DaanDeMeyer added RFE and removed bug labels Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
RFE
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dvzrv @DaanDeMeyer