search

Roave / composer-gpg-verify

:closed_lock_with_key: :package: composer plugin to enforce GPG signatures on downloaded GIT composer packages
MIT License
39 stars 3 forks source link

Manage per-project keychain? #10

Open mpdude opened 4 years ago

mpdude commented 4 years ago

Currently this plugin requires that everybody on the team has all the necessary keys on their personal keychain.

I wonder if it would be a good decision to support a dedicated, per-project keychain (in vendor/composer?) that would be managed by the plugin.

So, maybe the root project could configure via extra sections in composer.json a vendor/* or vendor/package-to-KeyID(s) mapping?

At startup, this plugin would have to make sure all necessary keys are available or try to fetch them.

Then, when downloading, make sure we verify against the configured key(s) only.

That way,

Cons:

Not everybody might agree which keys are trustworthy.

Ocramius commented 4 years ago

The idea here would be to use extra.keybase-trusted-usernames to create a local keychain

On Sun, Dec 29, 2019, 22:17 Matthias Pigulla notifications@github.com wrote:

Currently this plugin requires that everybody on the team has all the necessary keys on their personal keychain.

I wonder if it would be a good decision to support a dedicated, per-project keychain (in vendor/composer?) that would be managed by the plugin.

So, maybe the root project could configure via extra sections in composer.json a vendor/* or vendor/package-to-KeyID(s) mapping?

At startup, this plugin would have to make sure all necessary keys are available or try to fetch them.

Then, when downloading, make sure we verify against the configured key(s) only.

That way,

  • I don’t clutter my personal keychain with keys necessary for projects and don’t have to juggle with different keychains either.
  • Everybody on the team will have the necessary keys without further ado
  • The decision to trust a particular key would be traceable to the commit adding it

Cons:

Not everybody might agree which keys are trustworthy.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Roave/composer-gpg-verify/issues/10?email_source=notifications&email_token=AABFVEGIBVL53MZBMDCTLCDQ3EHX5A5CNFSM4KBCUOD2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IDGIX5A, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABFVEAKOWDYRPSU2NV5R2TQ3EHX5ANCNFSM4KBCUODQ .