signed packages and repo about gx HOT 5 OPEN

It would be great to use the existing https://keybase.io/ infrastructure for this. Or at least consider how keybase could be integrated since you want to be agnostic to a specific provider.

from gx.

For including the signature, the distributed tarball could include both foo/ and foo.sig. Bundling this could be part of the publish step.

from gx.

Yeah, i think that having foo/ and foo.sig in the repos would be a great thing to have. We can also define a format for the signature file that describes how to do the verification from different providers. That way we could have one method for keybase, one for standard gpg, and leave it open for others in the future. Definitely don't want to get the system stuck on a single solution that could get broken in the future.

from gx.

Perhaps a methodology similar to what Arch Linux does with pacman [0](https://wiki.archlinux.org/index.php/Pacman/Package_signing) [1](https://wiki.archlinux.org/index.php/DeveloperWiki:Package_signing) could be beneficial?

Their implementation is described as follows:

• Packages are signed using makepkg --sign. This creates a detached binary signature (.sig).
• The signed package is added to the repository database, and a detached signature of the repository database will be generated, using repo-add --verify --sign. The command line options indicate that the signature of the old database will be verified, and that the new database will be signed. Independently of these options, repo-add will detect the detached signature, convert it via base64 to ASCII, and add it to the repository database.
• pacman will download both the databases and the database signatures and verify the databases upon database sync and each time the database is opened. When a package is loaded, its signature will be checked whether that comes from a repo database or a standalone .sig file.
• pacman-key exists for the sake of managing keys, but there is missing functionality

So per that, signatures of the repo database and the package itself would both be maintained and handled by the package manager.

from gx.

Drive-by suggestion: https://theupdateframework.github.io/ is a well-done specification for how to do signed artifacts. I'm not sure how well it would work with gx directly, but it's a great example to work from.

from gx.