<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" />
<title>Using Signed Archives</title>
<style type="text/css">
/*
:Author: David Goodger (goodger@python.org)
:Id: $Id: html4css1.css 5196 2007-06-03 20:25:28Z wiemann $
:Copyright: This stylesheet has been placed in the public domain.
Default cascading style sheet for the HTML output of Docutils.
See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/
/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
border: 0 }
table.borderless td, table.borderless th {
/* Override padding for "table.docutils td" with "! important".
The right padding separates the table cells. */
padding: 0 0.5em 0 0 ! important }
.first {
/* Override more specific margin styles with "! important". */
margin-top: 0 ! important }
.last, .with-subtitle {
margin-bottom: 0 ! important }
.hidden {
display: none }
a.toc-backref {
text-decoration: none ;
color: black }
blockquote.epigraph {
margin: 2em 5em ; }
dl.docutils dd {
margin-bottom: 0.5em }
/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
font-weight: bold }
*/
div.abstract {
margin: 2em 5em }
div.abstract p.topic-title {
font-weight: bold ;
text-align: center }
div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
margin: 2em ;
border: medium outset ;
padding: 1em }
div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
font-weight: bold ;
font-family: sans-serif }
div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
color: red ;
font-weight: bold ;
font-family: sans-serif }
/* Uncomment (and remove this text!) to get reduced vertical space in
compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
margin-bottom: 0.5em }
div.compound .compound-last, div.compound .compound-middle {
margin-top: 0.5em }
*/
div.dedication {
margin: 2em 5em ;
text-align: center ;
font-style: italic }
div.dedication p.topic-title {
font-weight: bold ;
font-style: normal }
div.figure {
margin-left: 2em ;
margin-right: 2em }
div.footer, div.header {
clear: both;
font-size: smaller }
div.line-block {
display: block ;
margin-top: 1em ;
margin-bottom: 1em }
div.line-block div.line-block {
margin-top: 0 ;
margin-bottom: 0 ;
margin-left: 1.5em }
div.sidebar {
margin: 0 0 0.5em 1em ;
border: medium outset ;
padding: 1em ;
background-color: #ffffee ;
width: 40% ;
float: right ;
clear: right }
div.sidebar p.rubric {
font-family: sans-serif ;
font-size: medium }
div.system-messages {
margin: 5em }
div.system-messages h1 {
color: red }
div.system-message {
border: medium outset ;
padding: 1em }
div.system-message p.system-message-title {
color: red ;
font-weight: bold }
div.topic {
margin: 2em }
h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
margin-top: 0.4em }
h1.title {
text-align: center }
h2.subtitle {
text-align: center }
hr.docutils {
width: 75% }
img.align-left {
clear: left }
img.align-right {
clear: right }
ol.simple, ul.simple {
margin-bottom: 1em }
ol.arabic {
list-style: decimal }
ol.loweralpha {
list-style: lower-alpha }
ol.upperalpha {
list-style: upper-alpha }
ol.lowerroman {
list-style: lower-roman }
ol.upperroman {
list-style: upper-roman }
p.attribution {
text-align: right ;
margin-left: 50% }
p.caption {
font-style: italic }
p.credits {
font-style: italic ;
font-size: smaller }
p.label {
white-space: nowrap }
p.rubric {
font-weight: bold ;
font-size: larger ;
color: maroon ;
text-align: center }
p.sidebar-title {
font-family: sans-serif ;
font-weight: bold ;
font-size: larger }
p.sidebar-subtitle {
font-family: sans-serif ;
font-weight: bold }
p.topic-title {
font-weight: bold }
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font-family: serif ;
font-size: 100% }
pre.literal-block, pre.doctest-block {
margin-left: 2em ;
margin-right: 2em }
span.classifier {
font-family: sans-serif ;
font-style: oblique }
span.classifier-delimiter {
font-family: sans-serif ;
font-weight: bold }
span.interpreted {
font-family: sans-serif }
span.option {
white-space: nowrap }
span.pre {
white-space: pre }
span.problematic {
color: red }
span.section-subtitle {
/* font-size relative to parent (h1..h6 element) */
font-size: 80% }
table.citation {
border-left: solid 1px gray;
margin-left: 1px }
table.docinfo {
margin: 2em 4em }
table.docutils {
margin-top: 0.5em ;
margin-bottom: 0.5em }
table.footnote {
border-left: solid 1px black;
margin-left: 1px }
table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
padding-left: 0.5em ;
padding-right: 0.5em ;
vertical-align: top }
table.docutils th.field-name, table.docinfo th.docinfo-name {
font-weight: bold ;
text-align: left ;
white-space: nowrap ;
padding-left: 0 }
h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
font-size: 100% }
ul.auto-toc {
list-style-type: none }
</style>
</head>
<body>
<div class="document" id="using-signed-archives">
<h1 class="title">Using Signed Archives</h1>
<p>In this installment of the mini-howto series, we're going to cover signed
archives. Not so long ago, a large number of community servers were cracked.
Among the large numbers of machines that were cracked were the machines that
housed the gnu cvs repositories and Debian's packaging machines. This resulted
in a <em>huge</em> mess; essentally every line of source code in every program had to
be audited one line at a time to make sure the crackers hadn't inserted any
sort of malicious code. Clearly, <em>something</em> needed to be done so that this
could never happen again. The community at large needed a way to detect
archive tampering.</p>
<p>And so signed archives were added into Bazaar. With a signed archive, every single
patch is signed, via gnupg. That way, if the server that
holds an archive is cracked, the source codes integrity can be validationed
(in the absence of successfuly preimage attacks on SHA1).
If the archive survives a proper signature check, then
you know that the archive hasn't been tampered with.</p>
<p>Bazaar requires gnupg be installed to use and create signed archives. If it
is not installed, you will need to do so to continue.</p>
<p>If you are interested in signed archives, then it is from one of two contexts;
either you want get from someone elses' signed archive, or you want to make
a signed archive.</p>
<div class="section" id="using-someone-elses-archive">
<h1>Using someone elses archive</h1>
<p>Baz will automatically detect when archives are signed. If the signature
cannot be verified, the archive will be treated as altered and a error will
be printed to stderr. If you do not have the GPG key for the person whos
archive it is on your keyring, the archive won't be accessible. One way
to ensure you have the required keys is to set <cite>keyserver-options auto-key-retrieve</cite>
in your <cite>.gnupg/gpg.conf</cite>.</p>
<p>The default policy for Bazaar is to require a valid signature from anyone
on a revision. You can create a stricter policy by editing
<cite>~/.arch-params/archives/$archivename</cite> and setting one or more of:</p>
<blockquote>
<ul class="simple">
<li><cite>allowed_ids=john@example.com</cite></li>
<li><cite>allowed_ids=E12334458763524</cite></li>
<li><cite>allowed_fingerprints=E12345677627865429642964236266</cite></li>
</ul>
</blockquote>
</div>
<div class="section" id="creating-your-own-signed-archive">
<h1>Creating your own signed archive</h1>
<p>Not written yet,</p>
<table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field"><th class="field-name">title:</th><td class="field-body"><p class="first">Using Remote Signed Archives</p>
</td>
</tr>
<tr class="field"><th class="field-name">license:</th><td class="field-body"><p class="first">General Public License, V2</p>
</td>
</tr>
<tr class="field"><th class="field-name">copyright:</th><td class="field-body"><ol class="first upperalpha simple" start="3">
<li>2004, 2005 Canonical Ltd.</li>
</ol>
</td>
</tr>
<tr class="field"><th class="field-name">authors:</th><td class="field-body"><p class="first last">James Blackwell <<a class="reference external" href="mailto:jblack@gnuarch.org">jblack@gnuarch.org</a>>, Robert Collins <<a class="reference external" href="mailto:robert.collins@canonical.com">robert.collins@canonical.com</a>></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>
