Comments (5)
It would be great to use the existing https://keybase.io/ infrastructure for this. Or at least consider how keybase could be integrated since you want to be agnostic to a specific provider.
from gx.
For including the signature, the distributed tarball could include both foo/
and foo.sig
. Bundling this could be part of the publish step.
from gx.
Yeah, i think that having foo/
and foo.sig
in the repos would be a great thing to have. We can also define a format for the signature file that describes how to do the verification from different providers. That way we could have one method for keybase, one for standard gpg, and leave it open for others in the future. Definitely don't want to get the system stuck on a single solution that could get broken in the future.
from gx.
Perhaps a methodology similar to what Arch Linux does with pacman [0](https://wiki.archlinux.org/index.php/Pacman/Package_signing) [1](https://wiki.archlinux.org/index.php/DeveloperWiki:Package_signing) could be beneficial?
Their implementation is described as follows:
- Packages are signed using makepkg --sign. This creates a detached binary signature (.sig).
- The signed package is added to the repository database, and a detached signature of the repository database will be generated, using repo-add --verify --sign. The command line options indicate that the signature of the old database will be verified, and that the new database will be signed. Independently of these options, repo-add will detect the detached signature, convert it via base64 to ASCII, and add it to the repository database.
- pacman will download both the databases and the database signatures and verify the databases upon database sync and each time the database is opened. When a package is loaded, its signature will be checked whether that comes from a repo database or a standalone .sig file.
- pacman-key exists for the sake of managing keys, but there is missing functionality
So per that, signatures of the repo database and the package itself would both be maintained and handled by the package manager.
from gx.
Drive-by suggestion: https://theupdateframework.github.io/ is a well-done specification for how to do signed artifacts. I'm not sure how well it would work with gx directly, but it's a great example to work from.
from gx.
Related Issues (20)
- gx packages should be read-only HOT 6
- Special document of how is `gx` used in `go-ipfs`
- What happens when I install `go-ipfs`? HOT 1
- Add an option to use package name and version in the import path for new developers HOT 4
- empty .gx/post-install created HOT 13
- `gx lock-install`: option to make relative links HOT 1
- install --save installs multiple times
- Gx-ify Gx HOT 1
- knownhosts missing? HOT 3
- Replacing a gx-lock vendored dep with a symlink causes `gx install` to panic HOT 10
- gx link
- v0.14.0 publish broken HOT 5
- error in go get -u github.com/whyrusleeping/gx HOT 1
- when i input 'go get -u github.com/whysleeping/gx' the item return me package unrecognized import path HOT 2
- i cannot use the command gx? HOT 1
- Can't publish; please run an ipfs node and try again HOT 7
- why "inner import" of go-ipfs package published by gx contain hash value HOT 4
- Build issues for ppc64le architecture HOT 2
- Using gx for other languages than go HOT 1
- Breaking change in dependency HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gx.