Document signing process.

This commit is contained in:
Martin v. Löwis 2010-07-16 07:53:23 +00:00
parent c4a3731bfd
commit 239ce198bc
1 changed files with 53 additions and 0 deletions

View File

@ -83,6 +83,59 @@ Examples:
- /stats/months/2008-11.bz2
- /stats/months/2008-10.bz2
Mirror Authenticity
===================
With a distributed mirroring system, clients may want to verify that
the mirrored copies are authentic. There are multiple threats to
consider:
1. the central index may get compromised
2. the central index is assumed to be trusted, but the mirrors might
be tampered.
3. a man in the middle between the central index and the end user,
or between a mirror and the end user might tamper with datagrams.
This specification only deals with the second threat. Some provisions
are made to detect man-in-the-middle attacks. To detect the first
attack, package authors need to sign their packages using PGP keys, so
that users verify that the package comes from the author they trust.
The central index provides a DSA key at the URL /serverkey, in the PEM
format as generated by "openssl dsa -pubout" (i.e. RFC 3280
SubjectPublicKeyInfo, with the algorithm 1.3.14.3.2.12). This URL must
*not* be mirrored, and clients must fetch the official serverkey from
PyPI directly, or use the copy that came with the PyPI client software.
Mirrors should still download the key, to detect a key rollover.
For each package, a mirrored signature is provided at
/serversig/<package>. This is the DSA signature of the parallel URL
/simple/<package>, in DER form, using SHA-1 with DSA (i.e. as a RFC
3279 Dsa-Sig-Value, created by algorithm 1.2.840.10040.4.3)
Clients using a mirror need to perform the following steps to verify
a package:
1. download the /simple page, and compute its SHA-1 hash
2. compute the DSA signature of that hash
3. download the corresponding /serversig, and compare it (byte-for-byte)
with the value computed in step 2.
4. compute and verify (against the /simple page) the MD-5 hashes
of all files they download from the mirror.
An implementation of the verification algorithm is available from
https://svn.python.org/packages/trunk/pypi/tools/verify.py
Verification is not needed when downloading from central index, and
should be avoided to reduce the computation overhead.
About once a year, the key will be replaced with a new one. Mirrors
will have to re-fetch all /serversig pages. Clients using mirrors need
to find a trusted copy of the new server key. One way to obtain one
is to download it from https://pypi.python.org/serverkey. To detect
man-in-the-middle attacks, clients need to verify the SSL server
certificate, which will be signed by the CACert authority.
Special pages a mirror needs to provide
=======================================