Evaluate Git/ PGP integration for signing and signature checking
For checking signatures against a list of allowed PGP key IDs (e.g. from pacman-key) and the local signing of repository sync databases, we need integration with tooling that can deal with PGP.
When looking at other avenues for signature validation in git repositories (e.g. #151 ), one could also look at openssh based signature integration (this would not be something that pacman can handle for repository sync databases though, so it falls flat in the use-case of repository sync database signing - #32).
Requirements
| repod mode | git | smartcard (db signing) | git tag validation | WOT integration (git tag/ db validation) |
|---|---|---|---|---|
| user | Yes | Yes | Yes | Yes [2] |
| system | Yes | Yes [1] | Yes | Yes [2] |
[1] If we want to allow a dedicated machine to be able to sign sync databases itself, it would probably be good to also have smartcard support here.
[2] Depending on support in keyringctl (see keyringctl#3), we can also evaulate the use of a flat file here (i.e. a keyring file with all "allowed keys") instead of hooking into an existing web-of-trust.
PGP providers
gpgme
- pypi.org package is extremely out-of-date (last release 2018, 12(!) releases behind current gpgme)
- package does not build in venv (as the sdist is so outdated and uses some super ancient integration), only system integration can be used until upstream fixes this
- patches have been provided to upstream for fixing sdist tarball generation and PEP517 based builds (so far no response)
sequoia
- no sdist tarballs or wheels on pypi.org, only system integration can be used until upstream fixes this
- unclear feature set
- upstream proposes using pyo3 to build something custom or johnnycanencrypt instead
johnnycanencrypt
- provides sdist tarballs and wheels on pypi.org
- written in rust, based on sequoia
- basic, does not integrate with keyring, requires a local "keystore" directory
- seems to have smartcard integration
- does not yet use sequoia's internal keystore implementation/specification
python-gnupg
- has sdist tarballs and wheels on pypi.org
- deveveloped at https://github.com/vsajip/python-gnupg
- shells out to gpg
😢
pgpy
- has sdist tarballs and wheels on pypi.org
- developed at: https://github.com/SecurityInnovation/PGPy
- PGP implementation in Python
- feature set needs evaluation
Git providers
dulwich
- somehow integrates with gpg for signatures (unclear if they ever test this, given that everything is terribly out-of-date and broken)
pygit2
- pygit2 can get to signature strings, so PGP integration is likely open/ can be implemented whichever way
gitpython
- long track record of botched releases (faith in upstream quite low also given that the project seems to be in maintenance-only mode over developing gitoxide)
- relies on system git and gnupg executables