[Open-collaboration-services] [REQUEST] Extend API to support gpg signature

Diego Casella ([Po]lentino) polentino911 at gmail.com
Mon Jul 26 13:40:42 CEST 2010

2010/7/26 Frank Karlitschek <karlitschek at kde.org>

> Hi Diego,
> thats a great idea. We can add a signature extension to the API as you
> suggested,
> Do you have a specification or a more detailed description how this system
> should work?

This is my use-case for plasmoid authentication, but it will most likely be
extended for any type of package, let it be a theme, a wallpaper plugin or
whatever else.
Case #1: download scenario:
* The user opens the KHNS widget;
* the widget retrieves the packages infos, along with its signature field in
an ascii-armored format (if any);
* the widget start checking the signatures, displaying for each item the
corresponding level of trust(good/bad/invalid sig etc..);
* the user decides whether downloading the package or not.

Case #2: upload scenario:
* the developers want to upload its cool new package, and confirm the
authenticity of its product;
* he signs the package with its private gpg key, and then opens the KHNS
Upload dialog;
* he selects the package and the signature to upload, and then sends them to
the service provider.

As you can see, the most of the work is being done from the client-side.
What I need is simply a the possibility to have an extra field called
"signature" used to send it along with the package, that's all :) Then, the
client app will take care of authenticating it.
What's your opinion about it? Does it makes sense?



> I can help you with a testserver as soon as we agree on the specification.
> Cheers
> Frank
> On 26.07.2010, at 11:56, Diego Casella ([Po]lentino) wrote:
> > Hello guys,
> >
> > as you should know, this summer I'm working on the authentication of
> downloaded plasmoids by verifying their signatures with the keys in the user
> keyring, and show their "TrustLevel" in the Download Plasmoid dialog.
> However, to make it work correctly, I need the server to be extended in
> order to handle sending and receiving detached, ascii-armored, signatures.
> Besides, talking with Frederik, he wants this feature more general and not
> restricted to plasmoids-only, in order to give the user a level of trust
> about what he/she is going to download from the web. For these reasons, gpg
> signature support would a great improvement to the existing api.
> > What do you think about it ?
> > Regards,
> >
> > Diego.
> >
> > --
> > H: Who is Watson without Sherlock Holmes?
> > G: Watson was a genius in his own right.
> > _______________________________________________
> > Open-collaboration-services mailing list
> > Open-collaboration-services at kde.org
> > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> --
> Frank Karlitschek
> karlitschek at kde.org

H: Who is Watson without Sherlock Holmes?
G: Watson was a genius in his own right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/open-collaboration-services/attachments/20100726/bbd9f0db/attachment.htm 

More information about the Open-collaboration-services mailing list