Package Integrity, Authenticity and Provenance

[vincentparrett]

Other package managers use code signing to help ensure package integrity and authenticity.

The idea is that package consumers can be sure of

a) that the package has not been modified by anyone other than the author (Integrity)
b) the package is actually from the author (Authenticity)
c) that the package actually comes from where it says it does (Provenance).

NuGet uses code signing, both by the package author and by the repo and you can configure the client to decide what/who to trust.

Package signing should not be required for packages or package submission, as this would discourage many from submitting packages due to the cost and effort required to get a code signing certificate.

[vincentparrett]

Some links to peruse later

https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details
https://github.com/NuGet/Home/wiki/Repository-Signatures-and-Countersignatures-Technical-Specification
https://devblogs.microsoft.com/nuget/introducing-signed-package-submissions/

[synopse]

TL&DR: you need not only generate/sign/verify abilities of hashes, but some kind of PKI to maintain a certificate authority chain.

One possibility could be to use Windows' PKI for sure. But it is not easy to work with (installing a certificate is not easy, you need some 3rd party SDK to get SignTool), and you will mess your DPM certificates with other certificates. I guess you will either need to add a new root certificate (not very secure), or buy an official code signing certificate (not cheap).

With mormot.core.ecc.pas you have a simple but full cross-platform PKI, for which DPM could use its own CA chain. Or even several DPM CA chains, separated from the main Windows PKI. The fact that you can sign or verify a package from Linux using our tool may be good for continuous integration.

Package Author signature could be done from the IDE with no external tool involved, just before submission to a DPM server (DPM publishing service). Package Author private key could be signed automatically on this DPM server using one of the DPM private key of the PKI, after simple email registration for instance.
Then the DPM server maintainers may review the pending proposals, and sign it too.
I guess there may be one centralized DPM server for all Delphi users, but several DPM servers could be involved, including local private DPM servers. mormot.core.ecc.pas makes easy to maintain several PKI in separated folders. Of course, for building this DPM servers, I would use mORMot interface based services - but I am biased.

Some thoughs after #18

[vincentparrett]

Linux support is definitely needed, as the server will likely be on linux (cheaper) - I'm using dotnet core for the server though as I have lots of experience with it writing server and web applications. dotnet core does have code for working with x509 certs etc, but I have no idea on it's linux support. When I get closer to working on the server again I will investigate all of this more fully.