KNewStuff - signed

Andras Mantia amantia at kde.org
Wed Feb 2 09:44:13 GMT 2005 

Hi,

 I CC this to kde-core-devel, for comments. The background is that I 
extended KNewStuff to handle signed resources for upload/download.

On Wednesday 10 November 2004 16:45, you wrote:
> Hi,
>
> sorry for the delay, but I had to implement KNewStuff into more apps
> so only now I think there's a sufficient number of complaints from my
> side that justify some more work on the library :)

No problem, I'm slow with responses as well...
I finished a few days ago the implementation of the upload support of 
signed resources. The whole code is under kdewebdev/lib/newstuff, under 
LGPL, ready to be moved to kdelibs from my point of view, altough I 
have the feeling that it's a little late now (I was late with the 
upload support). I will give you a little information about the classes 
and the behavior:
QNewStuff: the class that inherits from KNewStuff and the one that 
should be reimplemented for each resource. Only the installResource 
(pure virtual) method needs to be reimplemented, which should install 
the tar file specified by "m_tarName".
Then downloading works like:
  newToolbarStuff = new QNewToolbarStuff("quanta/toolbar", this);
  newToolbarStuff->downloadResource();

Uploading is similar:
  newToolbarStuff = new QNewToolbarStuff("quanta/toolbar", this);
  KTempDir *tempDir = m_newToolbarStuff->uploadResource(tempFileName);

As you can see it's a little bit different, than in case of KNewStuff, 
where you had to reimplement install and createUploadFile. The main 
reason is the signing which is asynchronous, and this way for example 
createUploadFile cannot be used, as it would end (and the upload would 
start) before the resource is signed. Unfortunately for download this 
has the problem that you get the "Successfully installed hot new 
resource" box before the actual verification starts, so it happens also 
if the resource installation will be cancelled (and the resource is 
marked as installed even if the user cancels it).
 The returned KTempDir should be deleted at some time (now on 
application exit), but not too soon as otherwise you delete the signed 
file before upload. The real solution would be a signal from KNewStuff 
that indicates the end of the upload process and delete the temporary 
directory when this signal arrives. If we have the signal, we can do 
the cleanup in QNewStuff as well.

Security: handles signing and verifying the resources. There are two 
checks: an MD5 sum check (using KMD5) and a GPG signature check (using 
the gpg command line tool). Here I will explain the format of the 
uploaded and downloaded. The resource consist of three files packed 
into a gzipped tarball:
1. another gzipped tarball containing the actual resource to be 
installed
2. md5sum (holding the MD5 sum)
3. signature (holding the signature of the 1. tarball)

During download the md5sum and the signature will be verified and if the 
user authorizes the installation, the 1. tarball can be installed. The 
verification checks the md5sum, if the signature is correct, if the 
author of the signature is know and if it's trusted or not and warns 
the user if it's needed. It requests a confirmation even if everything 
is OK, but this dialog has a dontshowagain box.
During upload it creates the md5sum for the filename passed to 
uploadResource and signs the file. If there are more than one secret 
keys, a list with the keys is offered. The user has to enter the 
passphrase every time signs a resource. It is possible to not sign the 
resource as well, altough this will cause a warning when downloading.

I suggest to include this new classes in kdelibs/knewstuff, maybe under 
the name of KSecureNewStuff if not know, for 4.0. Of course some issues 
should be polished, like:
- the problem with "successful installed". Should be displayed only when 
the installResource() signals it.
- the problem with the temporary directory: again a simple signal is 
needed to indicate the end of the upload process
- (runtime) dependency on gpg. I don't know if this is a real problem, 
but we might add a check when a QNewStuff object is created and warn 
the user if gpg is missing.

And of course it must be tested a little more, as right now I was the 
only one who tested it. ;-)

Andras

-- 
Quanta Plus developer - http://quanta.sourceforge.net
K Desktop Environment - http://www.kde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050202/f9855551/attachment.sig>

More information about the kde-core-devel mailing list