Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenPGP Certificate Directory for distributions #115

Open
dvzrv opened this issue Aug 24, 2024 · 2 comments
Open

OpenPGP Certificate Directory for distributions #115

dvzrv opened this issue Aug 24, 2024 · 2 comments

Comments

@dvzrv
Copy link
Collaborator

dvzrv commented Aug 24, 2024

OpenPGP is widely adopted by most Linux distributions, as it offers a decentralized system for artifact verification.

To make use of OpenPGP, most distributions establish a PGPKI (aka. Web of Trust (WoT)), in which trust is delegated from a signature, over the signer's certificate to the certificates of a few central entities, that serve as trust anchors. This is mostly established via "third-party certifications".
The collection of certificates used for data signatures (sometimes in distinct roles) is distributed by many Linux distributions in bundled form, as OpenPGP keyrings.

As of writing, no standardized location for OpenPGP keyrings exists, leaving tools to either do guesswork (related mkosi issue) or rely on proprietary and stateful keystore formats (e.g. GnuPG) and a per-application location.

I am currently working towards a simple specification, that encodes metadata required by programs such as package managers, or general purpose verification tools (e.g. "which distribution?", "in what version?", "for which purpose?", "who is certifying?") in a common directory structure.
This would offer a simple, stateless and standardized interface allowing distributions (or anyone really) to verify their own artifacts or those of others.

@bluca
Copy link
Member

bluca commented Aug 24, 2024

This requires buy-in from the main package managers in order to be useful - let's say apt, dnf, zypper, pacman?

@dvzrv
Copy link
Collaborator Author

dvzrv commented Aug 24, 2024

This requires buy-in from the main package managers in order to be useful - let's say apt, dnf, zypper, pacman?

Yes, that would be the ideal outcome for the package management use-case.

My idea is to design this flexible enough, so that it can be used also for other purposes: The verification of installation media, virtual machine images, etc. (basically any artifact a distribution may produce and issue an OpenPGP signature for).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants