bluca
commented
2 months ago This requires buy-in from the main package managers in order to be useful - let's say apt, dnf, zypper, pacman?
Open dvzrv opened 2 months ago
bluca
commented
2 months ago This requires buy-in from the main package managers in order to be useful - let's say apt, dnf, zypper, pacman?
dvzrv
commented
2 months ago This requires buy-in from the main package managers in order to be useful - let's say apt, dnf, zypper, pacman?
Yes, that would be the ideal outcome for the package management use-case.
My idea is to design this flexible enough, so that it can be used also for other purposes: The verification of installation media, virtual machine images, etc. (basically any artifact a distribution may produce and issue an OpenPGP signature for).
OpenPGP is widely adopted by most Linux distributions, as it offers a decentralized system for artifact verification.
To make use of OpenPGP, most distributions establish a PGPKI (aka. Web of Trust (WoT)), in which trust is delegated from a signature, over the signer's certificate to the certificates of a few central entities, that serve as trust anchors. This is mostly established via "third-party certifications". The collection of certificates used for data signatures (sometimes in distinct roles) is distributed by many Linux distributions in bundled form, as OpenPGP keyrings.
As of writing, no standardized location for OpenPGP keyrings exists, leaving tools to either do guesswork (related mkosi issue) or rely on proprietary and stateful keystore formats (e.g. GnuPG) and a per-application location.
I am currently working towards a simple specification, that encodes metadata required by programs such as package managers, or general purpose verification tools (e.g. "which distribution?", "in what version?", "for which purpose?", "who is certifying?") in a common directory structure. This would offer a simple, stateless and standardized interface allowing distributions (or anyone really) to verify their own artifacts or those of others.