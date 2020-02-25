Introducing Jcat
Jcat is a gzipped JSON file of detached signatures. Because it’s gzipped it’s easy to compress and decompress in basically any language, and because it’s JSON it’s dead simple to parse and generate in any framework. There is a little overhead of some metadata (e.g. signing ID, creation time, etc) and but it’s all the kind of thing you can just edit in vim if you needed to. There’s also support for storing binary stuff like DER certificates (base64 to the rescue…), but if possible I’d like it to be all readable in a text editor. The jcat command line tool can import existing detached signatures into the Jcat file, and can also verify the existing .jcat file against all the files in a directory or archive. You can include multiple signatures for the same file (using the AppStream ID as the key) and of course sign multiple files using all the cryptographic engines you need. There’s also rudimentary support for actually creating signatures in the jcat command line client too, although it’s WIP for the GNUTLS engine and completely missing for GPGME at the moment.
This new thing also lets us fix another glaring issue in fwupd. Some companies can’t use PKCS-7, and some can’t use GPG for equally bad and nonsensical reasons – at the moment you need to specify the remote keyring when enabling a remote as we need to know if we need to download the metadata.xml.gz.asc or the .p7b version. Using a .jcat file allows to to not care, and just download one detached thing that can be used no matter how you’ve compiled your system. By adding SHA-256 as an additional not-to-be-used-for-trust engine, Jcat also lets you verify the download of your metadata and cabinet files even when you don’t have GPG or PKCS-7 available, which I know at least one company does on an IOT project. Jcat allows us to move the scary cryptographic verification code out of fwupd and makes the update-your-firmware codebase easier to maintain without worrying about potential landmines.
-
- Login or register to post comments
- Printer-friendly version
- 810 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Android as a Desktop
OpenSUSE News Outsourced to Microsoft, Dominique Leuenberger's Report on Tumbleweed
IBM/Red Hat/Fedora Leftovers
Revive your RSS feed with Newsboat in the Linux terminal
Psst. Word on the web is that RSS died in 2013. That's when Google pulled the plug on Google Reader. Don't believe everything that you hear. RSS is alive. It's well. It's still a great way to choose the information you want to read without algorithms making the decision for you. All you need is the right feed reader. Back in January, Opensource.com Correspondent Kevin Sonney introduced a nifty terminal RSS reader called Newsboat. In his article, Kevin scratched Newsboat's surface. I figured it was time to take a deeper dive into what Newsboat can do.
Recent comments
2 hours 5 min ago
2 hours 33 min ago
2 hours 34 min ago
2 hours 45 min ago
3 hours 30 min ago
4 hours 5 min ago
4 hours 35 min ago
12 hours 48 min ago
12 hours 51 min ago
12 hours 52 min ago