[Open-collaboration-services] [REQUEST] Extend API to support gpg signature

Frank Karlitschek karlitschek at kde.org
Mon Jul 26 22:54:29 CEST 2010 

On 26.07.2010, at 22:10, Frederik Gladhorn wrote:

> On Monday 26 July 2010 13:40:42 Diego Casella ([Po]lentino) wrote:
>> 2010/7/26 Frank Karlitschek <karlitschek at kde.org>
>> 
>>> Hi Diego,
>>> 
>>> thats a great idea. We can add a signature extension to the API as you
>>> suggested,
>>> Do you have a specification or a more detailed description how this
>>> system should work?
>> 
>> This is my use-case for plasmoid authentication, but it will most likely be
>> extended for any type of package, let it be a theme, a wallpaper plugin or
>> whatever else.
>> Case #1: download scenario:
>> * The user opens the KHNS widget;
>> * the widget retrieves the packages infos, along with its signature field
>> in an ascii-armored format (if any);
>> * the widget start checking the signatures, displaying for each item the
>> corresponding level of trust(good/bad/invalid sig etc..);
>> * the user decides whether downloading the package or not.
>> 
>> Case #2: upload scenario:
>> * the developers want to upload its cool new package, and confirm the
>> authenticity of its product;
>> * he signs the package with its private gpg key, and then opens the KHNS
>> Upload dialog;
>> * he selects the package and the signature to upload, and then sends them
>> to the service provider.
>> 
>> As you can see, the most of the work is being done from the client-side.
>> What I need is simply a the possibility to have an extra field called
>> "signature" used to send it along with the package, that's all :) Then, the
>> client app will take care of authenticating it.
>> What's your opinion about it? Does it makes sense?
> 
> Sounds pretty good to me. Signatures are about 200 byte if I'm not mistaken. I 
> would almost favor to inline them in the content/get request, so we don't need 
> to make a separate call. Any reason not to?

I agree. It´s funny, we discussed adding a similar signature field 3 weeks ago at Akademy and it is already in the OCS 1.6 draft
http://www.freedesktop.org/wiki/Specifications/open-collaboration-services-draft


What do you think? Is this what you need?


> 
> For those as gpg-ignorant as I am:
> Create a signature with 
> gpg -ab attica.tbz2
> And get a file attica.tbz2.asc out of that.
> That is the signature, ascii-armored.
> gpg --verify attica.tbz2.asc checks the signature.
> For knewstuff we'll instead use lib...something.
> 
> Signature looks like this:
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEABECAAYFAkxN6ewACgkQcZKJUyELiPfZlwCgipEZJjUgf9z3HembEYpVtX9h
> pfwAn39WOGGcVBYCBaM92xDRStffL7zY
> =Hudq
> -----END PGP SIGNATURE-----
> 
> Just to say it again: I'm happy to see this happening :D
> 

Indeed!  Very cool stuff!!


> Greetings
> Frederik
> 
> 

Cheers
Frank


> 
>> 
>> Cheers,
>> 
>> Diego.
>> 
>>> I can help you with a testserver as soon as we agree on the
>>> specification.
>>> 
>>> 
>>> Cheers
>>> Frank
>>> 
>>> On 26.07.2010, at 11:56, Diego Casella ([Po]lentino) wrote:
>>>> Hello guys,
>>>> 
>>>> as you should know, this summer I'm working on the authentication of
>>> 
>>> downloaded plasmoids by verifying their signatures with the keys in the
>>> user keyring, and show their "TrustLevel" in the Download Plasmoid
>>> dialog. However, to make it work correctly, I need the server to be
>>> extended in order to handle sending and receiving detached,
>>> ascii-armored, signatures. Besides, talking with Frederik, he wants this
>>> feature more general and not restricted to plasmoids-only, in order to
>>> give the user a level of trust about what he/she is going to download
>>> from the web. For these reasons, gpg signature support would a great
>>> improvement to the existing api.
>>> 
>>>> What do you think about it ?
>>>> Regards,
>>>> 
>>>> Diego.
>>>> 
>>>> --
>>>> H: Who is Watson without Sherlock Holmes?
>>>> G: Watson was a genius in his own right.
>>>> _______________________________________________
>>>> Open-collaboration-services mailing list
>>>> Open-collaboration-services at kde.org
>>>> https://mail.kde.org/mailman/listinfo/open-collaboration-services
>>> 
>>> --
>>> Frank Karlitschek
>>> karlitschek at kde.org
> _______________________________________________
> Open-collaboration-services mailing list
> Open-collaboration-services at kde.org
> https://mail.kde.org/mailman/listinfo/open-collaboration-services


--
Frank Karlitschek
karlitschek at kde.org

More information about the Open-collaboration-services mailing list