[Koha-bugs] [Bug 24632] Plugins should support simple signing for security/varifiability

Thu Apr 16 11:30:55 CEST 2020

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632

--- Comment #3 from David Cook <dcook at prosentient.com.au> ---
Preface: Apologies for the long post. It was my mental working through of
possibilities for libraries for this functionality. Maybe it will be useful to
someone else's thought process. Feel free to ignore and I'll write a shorter
one after it with a suggestion.

--

Oh right... gpg will handle that transparently if we just provide something
like "gpg --verify plugin.sig plugin.kpz" or "gpg --decrypt plugin.kpz.sig
--output plugin.kpz". 

Of course, the fun comes when shelling out to gpg from a web process...

Some interesting conversation between Gregor Herrmann and Daniel Kahn Gillmor
about this topic at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875124. 

They seem to suggest GnuPG::Interface but it still just shells out rather than
using bindings. (A few years ago, I was interested in working on some Perl
bindings for GPG, but just never found the time - quelle surprise.)

On that note... we don't *have* to use GPG for signing. 

Although I don't really have any other obvious viable candidates. There's EdDSA
(https://en.wikipedia.org/wiki/EdDSA#Software), but nothing there is standing
out to me.

Libgcrypt has signature support but I recall Crypt::GCrypt being terribly
broken and it doesn't have signature support anyway. 

Although we could look at "python3-gpg" in Debian/Ubuntu which are official
Python bindings for GPG using GPGME. But we couldn't use that in Starman and
that would be a pain to setup. 

Maybe Crypt::OpenSSL::RSA which looks recent and seems to use bindings rather
than shelling out. I see libcrypt-openssl-rsa-perl in Ubuntu 18.04. 

(Apparently Crypt::OpenSSL::RSA appears in some OCLC docs for working with Perl
and Relais:
https://help.oclc.org/Resource_Sharing/Relais_D2D/Authentication/Encryption)

(Also kind of interesting looking at what Crypt::JWT uses for managing JWS
algorithms: https://metacpan.org/pod/Crypt::JWT. As you can see,
Crypt::OpenSSL::RSA shows up there again.)

Oh that's interesting... for EdDSA it uses Crypt::PK::Ed25519, but Ubuntu 18.04
doesn't have Crypt::JWT or Crypt::PK::Ed25519. 

Oh actually... libcryptx-perl is available in Ubuntu 18.04 and Debian Stretch
Backports...https://metacpan.org/pod/CryptX and
https://packages.debian.org/search?keywords=libcryptx-perl

No idea who Karel Miko is but that is amazing. Based on his LinkedIn, it looks
like he's been doing security for quite a long time (and has maintained CryptX
since 2013). 

https://metacpan.org/pod/Crypt::PK::RSA looks pretty interesting. 

And looking here https://metacpan.org/source/MIK/CryptX-0.068/CryptX.xs you can
see it using the libtomcrypt headers (https://www.libtom.net/).  

Looks like libtomcrypt has 35 listed contributors
(https://github.com/libtom/libtomcrypt/graphs/contributors) including Karel
Miko... with most of the work starting in 2017...although apparently it was
originally created by Tom St Denis (a Canadian from Ottawa) in 2001. So I'm
guessing maybe not everything is shown in the Github. Seems like a pretty
active project with a handful of developers working on it. 

Ooof... looks like there were some big dramas back in 2009 and Tom St Denis
left the project and no one immediately took it up
(https://groups.google.com/forum/#!msg/sci.crypt/Z7lVGM2wo2o/UfQpm0cdQRMJ).
Obviously someone did resurrect it though. The Github history goes back to
2008/2009. Anyway that's just history. Seems like it's seen a fair bit of work
since then, plus it's in every Linux distribution it seems. 

I feel like I've heard of libtomcrypt before in a project I was using... ahhh
yes because dropbearssh uses libtomcrypt (which I compiled to run on my Android
phone so I could use rsync on my phone using SSH). 

Anyway...

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.