Hint/Proposal: Asymmetric Crypto for package signature

[synopse]

Within mORMot, I have developed some ECC asymmetric cryptography code. It has full certificate chain support (CA), in a simple way, with no external dependency. There is even a command line tool to create certificate or sign files available, much easier to work than openssl command line for instance. The tool could be used directly to sign your packages.

I guess you could consider using this code for your upcoming public repositories. OpenSSL is faster, but a real PITA to deploy on Windows, and there is a pure pascal version of the code as reference. Our code can sign or verify 1000 signatures per second, so it is not slow for your purpose. ;) It is used on production since years.

Perhaps the mORMot 2 sources are easier to integrate than the mORMot 1.18: https://github.com/synopse/mORMot2/blob/master/src/core/mormot.core.ecc256r1.pas https://github.com/synopse/mORMot2/blob/master/src/core/mormot.core.ecc.pas https://github.com/synopse/mORMot2/blob/master/src/core/mormot.core.crypto.pas

There are other part to reuse, e.g. the JSON library, if needed: https://github.com/synopse/mORMot2/blob/master/src/core/mormot.core.json.pas Or the Lizard compression, which is very fast for uncompressing (much faster than Zip - which is also part of the framework): https://github.com/synopse/mORMot2/blob/master/src/lib/mormot.lib.lizard.pas Or a full search engine to search expressions like "grid picture - fmx", and also Binary Buffers Delta Compression (which may useful when storing .dcu): https://github.com/synopse/mORMot2/blob/master/src/core/mormot.core.search.pas

I would grant you a free licence to use within DPM for sure.

[glenkleidon]

This seems like very good work.

However, the signing of packages is a moderately trivial process using the existing libraries like openssl, Microsoft apis. It can even be done simply using a powershell wrapper to those APIs. The idea of using something that the broader community has not heard of (ie NON delphi community that is), no matter how good it may be, is probably not the right way to go.

This is a matter of trust, but also of known and tested vulnerabilities. Unfortunately your tools are likely to have to low a volume in comparison and we can’t know what exploits are present and how vulnerable to a concerted attack they may be. All it would take is someone deploy a malicious package using some unknown exploit for the level of trust in DPM to be seriously harmed.

Now, I am not saying that your tools aren't good - they almost certainly are given your experience - however, I would be reluctant to use essentially a proprietary implementation when industry standard is available.

[glenkleidon]

The JSON library and the compression tools sound great though. Thanks

[synopse]

The mORMot cryptography has been audited by the cyber security team of one company of $ 50 billions assets, for critical process. And it is validated against OpenSSL and classical reference vectors. If you don't trust our code, we offer optional OpenSSL support, which replaces our asm/pascal with OpenSSL's. Of course, if you prefer to add the Windows SDK as requirement and use SignTool, or spend hours fighting the Windows API, it is your choice! :) Thanks for your time and effort on this great tool which seems very promising - the IDE integration sounds great.

[glenkleidon]

Thanks for the update - but I think you just demonstrated the point- you had to explain the level of auditing you have done. It is not that I don't trust your code by the way (I personally would be fine with it). Just using code signing will remove any doubt (probably wont even come up as an issue). Now if you are saying you have tools that help with code signing then that will be awesome.

BTW I am just a potential contributor to this project - I am not in any way responsible for any of the existing code - this is MY opinion only - and I am not officially part of the DPM project as yet. I am sure VP will respond in an official capacity!

[vincentparrett]

@synopse thanks, when we get to working on package signing I'll definitely take a look. Hopefully you will look at create dpm packages for mORMot at some point too ;)