[Koha-bugs] [Bug 24632] Plugins should support simple signing for security/varifiability
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Apr 30 10:53:20 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
--- Comment #9 from David Cook <dcook at prosentient.com.au> ---
OK I've used openssl to generate a RSA private key and a public key, and create
a signature for the KitchenSink KPZ (or more accurately a signature of a SHA256
digest of the KitchenSink KPZ).
I've used Crypt::OpenSSL::RSA to load the public key and verify the signature
against the KitchenSink KPZ file, and it's working very nicely on
koha-testing-docker.
Hurray!
Next, I plan to great a plugin_keys table (or something like that) where admins
can upload RSA public keys against a little descriptive name.
Then, I'll add an upload option for the signature file. (I'll add a system
preference to make the signature mandatory and default that preference to off
for backwards compatibility.)
Then, I iterate through the public keys to see if any of them return true. (The
error reporting in Crypt::OpenSSL::RSA isn't brilliant. False is returned if
the key is bad, false is returned if the file is bad, and false if the
signature is bad. There's no way to differentiate between the failure states.
That all being said, I suppose it doesn't matter too much. We can just tell
users to review their saved keys, and double-check their source and that
they're using the right signature for the right file.)
I really thought I'd be able to work through my hunger but... going to have to
eat.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list