Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id BFA64782B84
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 19 Jan 2020 11:01:50 +0000 (UTC)
Received: by mail-pf1-f193.google.com with SMTP id n9so14277837pff.13
        for <~alpine/devel@lists.alpinelinux.org>; Sun, 19 Jan 2020 03:01:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=vfXuqSP1chy/A59nK1ERdVzEXkWVfQ8qv+nOTsgHyYQ=;
        b=opSL9ta2C36PQS6j011PPnhhOgzBOR2p6sTjs4I44NFzglGC1nE3PRD/G8z4D5H0+e
         OFTn47CkptzQu5ugipWx/b1jHurvQ+L8YqpXjmmSlCPeXpzrEb9hjMl4SAduyRiwIKL3
         7a+lW+Wf/rBA0DNBw/BM9e9TQpaVkH2kmkZ+y9oIli1f5hqS9+vCrsRggEVrT2NwZ4U2
         QY+Uy7Gksi2sg525j1x9Q2/7Gmx3e1FuYuLeY5r7X0UdqwRlJcLMgJZDF0LTrmyHW9L6
         Dir1nOnJPKc4bGuX/PqQIJ685K/G8BxK4sEUx/NnCGETk6zF0bBO9QkuHC9XHpX7TUxw
         WzlQ==
X-Gm-Message-State: APjAAAX690Q/k7WCX2Ud4Um9UWGUHDIvg5MJ5kLIhGeTA8RNWY2OpNjH
	8Bt2u4Wr+WCPeIN6U3BrQNQ=
X-Google-Smtp-Source: APXvYqxY+YXKYI+I2mURL752n5poLEI4QXu+f5mjaX+QS2tQeU8pyv3ncBm5aV0j1VKOvY3dIqvK3w==
X-Received: by 2002:a62:cd81:: with SMTP id o123mr12576222pfg.110.1579431708998;
        Sun, 19 Jan 2020 03:01:48 -0800 (PST)
Received: from vostro ([180.150.21.129])
        by smtp.gmail.com with ESMTPSA id u18sm34939283pgn.9.2020.01.19.03.01.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 19 Jan 2020 03:01:48 -0800 (PST)
Date: Sun, 19 Jan 2020 13:01:41 +0200
From: Timo Teras <timo.teras@iki.fi>
To: "Ariadne Conill" <ariadne@dereferenced.org>
Cc: "Drew DeVault" <sir@cmpwn.com>, "Natanael Copa" <ncopa@alpinelinux.org>,
 ~alpine/devel@lists.alpinelinux.org
Subject: Re: repo pinning, whether to include repository name in pkg [was
 Re: new package format and repository layout changes]
Message-ID: <20200119130141.33011217@vostro>
In-Reply-To: <185d5d5ee06c85855c43c3386bae7e90@dereferenced.org>
References: <20200118001927.3492f70d@vostro.lan>
	<20200117093110.13bfdc9f@vostro.lan>
	<BZY4HPQ7P5IO.32ODJBJGIGRTN@homura>
	<185d5d5ee06c85855c43c3386bae7e90@dereferenced.org>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 17 Jan 2020 23:15:08 +0000
"Ariadne Conill" <ariadne@dereferenced.org> wrote:

> January 17, 2020 4:19 PM, "Timo Teras" <timo.teras@iki.fi> wrote:
> 
> > On Fri, 17 Jan 2020 09:06:38 -0500
> > "Drew DeVault" <sir@cmpwn.com> wrote:
> >   
> >> On Fri Jan 17, 2020 at 9:31 AM, Timo Teras wrote:
> >> Having said all this. I am still somewhat concerned and thinking
> >> that putting repository name to the package might be useful thing.
> >> But perhaps in should be the originally-built-from-repository and
> >> not the index name.
> >> 
> >> Does any of you share my concerns that the repo name should be
> >> signed?
> >> 
> >> Still NACK on signing the repo name. Signed data should be
> >> autonomous of its original source, so long as it's signed it
> >> doesn't matter how it got to you.  
> > 
> > Would you be able to give some reasoning, arguments or use-cases why
> > you think this is the correct approach?  
> 
> Downstream of Alpine, we use apk fetch to compose repositories for
> customers which contain the exact set of packages we provide support
> for.  These package sets are not aligned with the repository split
> that upstream Alpine uses.  It would be desirable to retain this
> functionality without having to resign the packages.
> 
> While breaking this functionality would only require some minor
> rework of our scripts (to resign the packages), it also breaks the
> ability to audit the supply chain: our customer cannot verify that
> their package has actually originated from Alpine if we resign it
> at present.  Accordingly, it would be desirable in any case that
> we have to rewrite the control section of the package to be able to
> include a signed copy of the previous control section, to ensure that
> the supply chain audit-ability requirement is preserved.
> 
> Being able to compose new repositories from existing ones *and*
> preserve the original signatures is, unfortunately, for various
> reasons, a hard requirement for us.

Thanks for this. I suppose it this make sense.

My next questions would be then about what kind of signing policy you
are using/would like to have?

There obviously is Alpine key and your key in place.

So, what would be the desired policy:

a) sign packages with both keys, check only your key? (alpine signature
is more for sideband verification)

b) sign packages with both keys, have apk check both signatures?

c) sign packages with alpine key, index with your key; have clients
trust both?

d) sign index with your key; include trust-delegation-signature of
alpine key in index so that packages are signed with alpine key only,
and client has only your key?

e) something else? what?

Cheers,
Timo