Re: [Chicken-users] chicken-install package integrity/signing

[Mario Domenech Goulart]

Hi Jason,

On Sun, 23 Dec 2018 23:55:56 +0000 Jason Valencia <address@hidden> wrote:

> Mario Domenech Goulart wrote:
>> On Sun, 23 Dec 2018 00:11:51 +0000 Jason Valencia <address@hidden> wrote:
>> > Until this is resolved, is anyone aware of good ways to install eggs
>> > more securely? A couple options come to mind but they seem overkill.
>> >
>> >  - Running a local egg mirror with henrietta as it looks like it can
>> >    fetch over HTTPS
>> >
>> >  - Downloading packages with chicken-install -retrieve (to just
>> >    download instead of installing) and manually inspecting each one
>>
>> We actually have tarballs for eggs.  They are not used by any tool, so
>> I guess nobody is really making use of them so far.  Anyway, they are
>> here: https://code.call-cc.org/egg-tarballs/
>>
>> They are served via HTTPS and there are checksum files for the
>> tarballs.  They are not signed, though.  There is an index file for
>> each tarball repository (one per major CHICKEN version).  For example,
>> for CHICKEN 5: https://code.call-cc.org/egg-tarballs/5/index.gz
>> (gzip-compressed).
>>
>> The format of the index is:
>>
>> * The first line is the index format version
>>
>> * the following lines have this format:
>>   (<egg> <version> <tarball size> <tarball SHA1 sum> <dependencies> <test 
>> dependencies>)
>
> Thanks, that is very helpful.
>
>> I have a very ugly script that generates a Makefile to fetch, unpack
>> and install egg tarballs.  If you are interested, let me know.
>
> That would be great! Even if it is ugly it should give me a better
> understanding of how this works.

Ok.  I've uploaded it to https://github.com/mario-goulart/egg-layer .
I've added a README file with some notes.  I should repeat and emphasize
that this is a very ugly hack.

All the best.
Mario
-- 
http://parenteses.org/mario