aboutsummaryrefslogtreecommitdiffstats
path: root/posts
diff options
context:
space:
mode:
authorFran├žois Kooman <fkooman@tuxed.net>2019-08-05 10:55:26 +0200
committerFran├žois Kooman <fkooman@tuxed.net>2019-08-05 10:55:26 +0200
commitcbcec212743394f170ffc8df0b0f5267c518f56d (patch)
tree87fe70588b0e889481de58ec6bf0185e17a2f9bc /posts
parent7aeb3329a7e75c78c0030b20ca68eb63e0fd729f (diff)
downloadwww.tuxed.net-cbcec212743394f170ffc8df0b0f5267c518f56d.zip
www.tuxed.net-cbcec212743394f170ffc8df0b0f5267c518f56d.tar.gz
www.tuxed.net-cbcec212743394f170ffc8df0b0f5267c518f56d.tar.xz
add minisign post
Diffstat (limited to 'posts')
-rw-r--r--posts/minisign.md93
1 files changed, 93 insertions, 0 deletions
diff --git a/posts/minisign.md b/posts/minisign.md
new file mode 100644
index 0000000..c560867
--- /dev/null
+++ b/posts/minisign.md
@@ -0,0 +1,93 @@
+---
+title: Minisign
+published: 2019-08-05
+---
+
+A little while back I read an interesting
+[article](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) on PGP,
+and how we really should stop using it. Not everyone agrees, but GnuPG already
+bothered me for quite
+[some](https://twitter.com/fkooman/status/888318029167284224)
+[time](https://twitter.com/fkooman/status/874321200822071300). Even if there is
+a genuine need for a universal tool for "all things crypto", GnuPG, does not
+seem to be it. That being said, some proposals in the mentioned blog post
+recommend people to use (proprietary) centralized services to communicate. That
+is obviously far from ideal, but it really seems the only option for
+"normal" users at the moment. We are all waiting for secure, privacy friendly,
+decentralized and free software solutions that are also easy to use...
+
+The solution for software signing, as mentioned in the post, _is_ a great
+improvement over using PGP for this purpose!
+
+The tool, [Minisign](https://github.com/jedisct1/minisign), seems like the
+perfect tool! Small, modern algorithms, and easy to use! I was already a bit
+familiar with [Signify](https://man.openbsd.org/OpenBSD-current/man1/signify.1),
+so it seemed only logical to start evaluating using Minisign for my own
+[projects](https://www.tuxed.net/fkooman/projects.html).
+
+The problem was, that it was not yet available as a "ready to use" package in
+[Fedora](https://getfedora.org/) and [CentOS](https://centos.org/) / Red Hat
+Enterprise Linux, nor [Debian](https://www.debian.org/). This is not ideal, so
+I got to work to solve that problem, at least for Fedora and CentOS, hopefully
+contributing, in a small way, to make the use of Minisign more popular!
+
+I created the package, put it up for
+[review](https://bugzilla.redhat.com/show_bug.cgi?id=1730709), and after it got
+reviewed and accepted, it is now a Fedora and CentOS (EPEL)
+[package](https://apps.fedoraproject.org/packages/minisign)! I also
+[requested](https://pagure.io/releng/fedora-scm-requests/issue/14777) a package
+for EPEL8, so it can be used in
+[CentOS 8](https://wiki.centos.org/About/Building_8), which should be released
+in the near future.
+
+### Installation
+
+You can install Minisign on Fedora >= 30:
+
+ $ sudo dnf install minisign
+
+On CentOS 7 you need to enable [EPEL](https://fedoraproject.org/wiki/EPEL)
+first, if you haven't done so already:
+
+ $ sudo yum install epel-release
+ $ sudo yum install minisign
+
+The [documentation](https://jedisct1.github.io/minisign/) of Minisign, on how
+to set it up, i.e. generate a key, and use it is straightforward, in no way
+comparable to the number of steps you have to walk through to set up and use
+GnuPG securely...
+
+### Software Packaging
+
+An additional bonus is that because Minisign is now packaged for Fedora and
+CentOS, it can be used to verify source tarballs of software during the RPM
+build stage!
+
+To use Minisign, similar to how to use
+[PGP](https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification),
+in your RPM spec files, you can use the following in your `spec` file:
+
+ ...
+
+ Source0: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz
+ Source1: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz.minisig
+ Source2: fkooman.minisign.pub
+ ...
+
+ BuildRequires: minisign
+
+ ...
+
+ %prep
+ /usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}
+
+ ...
+
+Here, `Source2` should be the Minisign public key file, i.e. `minisign.pub`
+that is then added to the Fedora packaging (Git) repository directly, and not
+fetched from the web during package build. The public key MUST be verified (out
+of band) before it can be trusted. Ideally by establishing some trusted
+communication channel with the signer of the source code.
+
+Another step closer to a world without PGP! And maybe packaging Minisign is
+a first step in moving RPM package signatures to use Minisign as well!