THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Proposals/2012-06-06/Detached Signed SPDX Files"
Line 1: | Line 1: | ||
− | <p> </p><h2>Status</h2><p><strong>Draft</strong></p><h2>Issue</h2><p>Currently there is no way to be sure that an SPDX file has not been modified by a third party after it was produced. See also, <a href="https://bugs.linuxfoundation.org/show_bug.cgi?id=980">issue 980</a>.</p><h2>Proposal</h2><p>Modify the spec to state that</p><ol><li><strong>Signing Convention: </strong>SPDX producers <strong>may </strong> cryptographically sign SPDX files using the PGP detached signature format as specified in RFC 2440. This format does not modify the original SPDX, but rather creates a separate <filename>.sig or <filename>.sign file containing a signature for the original file. </li><li><strong>Signature File Naming Convention: </strong>The signature filename should be either <filename>.sig or <filename>.sign and be in the same directory as the SPDX file.</li><li><strong>Signature File Renaming: </strong>Renames of an SPDX file from <filename1> to <filename2> should also rename any <filename1>.sig or <filename1>.sign files to <filename2>.sig or <filename2>.sign respectively. </li><li><strong>Consumption Optional: </strong>SPDX consumers <strong>may</strong> accept or ignore SPDX signature files. </li><li><strong>Production Optional: </strong>SPDX producers would have the option of signing SPDX files but would <strong>not</strong> be required to do so. </li></ol><h3>Example</h3><h5>SPDX file</h5><pre><code> SPDXVersion: SPDX-1.0 DataLicense: PDDL-1.0 Creator: Person: Ed Warnicke </code></pre><h5>Signed SPDX file</h5><pre><code> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEABECAAYFAk9WSn0ACgkQpqzn7Jq4hlCfYACbBelTUtjOGAYrSBXEODD9Ukpo vuAAn2gLkGsGOntkUTERnISOyOoBJxlT =JxE7 -----END PGP SIGNATURE----- </code></pre><h5>Command sign an SPDX file</h5><pre><code> $ gpg --armor --output example.spdx.sign --detach-sig example.spdx</code></pre><h2>Advantages</h2><p>Detaching the signature in the SPDX file has several advantages.</p><ol><li><strong>Leverage Existing Tools: </strong>It allows underlying tools that are used to process the formats into which SPDX is normally encoded (RDF tools, Tag Tools, XML Tools, etc) to continue to function normally. </li><li><strong>Tooling Simplication: </strong>It makes tooling for SPDX easier because it allows issues of file authentication to be considered orthogonally from other issues. A tool maker who *just* wants to focus on processing SPDX data does not need to worry about knowing how to unpack a wrapper.</li><li><strong>Community Standard: </strong>It follows the convention already being followed by kernel.org, mavencentral, the apache foundation, and most packagers.</li></ol><h2>Disadvantages</h2><p>Detaching the signature in the SPDX file could lead to</p><ol><li><strong>Misplaced Signatures: </strong>Separation of the signature file from the SPDX file makes it possible for the signature to become separated from the SPDX file</li><li><strong>Signature Correlation: </strong>Separation of the signature file from the SPDX file introduces the need to correlate signature files with SPDX files.</li></ol><div><h2>Responses to Disadvantages</h2><ol><li><strong>Misplaced Signatures -- Existing Archive Formats: </strong>SPDX signature files can be passed along with SPDX data files by simple archiving in a common archive format like .zip, providing all of the benefits of inline signatures, while retaining the advantages of detached signatures.</li><li><strong>Signature Correlation - Signature File Naming Convention: </strong>The SPDX signature file naming and placement conventions in the proposal eliminate concerns about correlation.</li></ol></div><h2>Compatibility</h2><p>This proposal will produce files that are trivially backwards compatible. Specifically a signed filed will be readable by SPDX-1.0 compliant consumers and any tool capable of reading it's underlying encoding format (RDF, XML, Tag). By making the issue of signing orthogonal, we maintain separation of concerns.</p><p> </p> | + | <p> </p><h2>Status</h2><p><strong>Draft</strong></p><h2>Issue</h2><p>Currently there is no way to be sure that an SPDX file has not been modified by a third party after it was produced. See also, <a href="https://bugs.linuxfoundation.org/show_bug.cgi?id=980">issue 980</a>.</p><h2>Proposal</h2><p>Modify the spec to state that</p><ol><li><strong>Signing Convention: </strong>SPDX producers <strong>may </strong> cryptographically sign SPDX files using the PGP detached signature format as specified in RFC 2440. This format does not modify the original SPDX, but rather creates a separate <filename>.sig or <filename>.sign file containing a signature for the original file. </li><li><strong>Signature File Naming Convention: </strong>The signature filename should be either <filename>.sig or <filename>.sign and be in the same directory as the SPDX file.</li><li><strong>Signature File Renaming: </strong>Renames of an SPDX file from <filename1> to <filename2> should also rename any <filename1>.sig or <filename1>.sign files to <filename2>.sig or <filename2>.sign respectively. </li><li><strong>Consumption Optional: </strong>SPDX consumers <strong>may</strong> accept or ignore SPDX signature files. </li><li><strong>Production Optional: </strong>SPDX producers would have the option of signing SPDX files but would <strong>not</strong> be required to do so. </li></ol><h3>Example</h3><h5>SPDX file</h5><pre><code> SPDXVersion: SPDX-1.0 DataLicense: PDDL-1.0 Creator: Person: Ed Warnicke </code></pre><h5>Signed SPDX file</h5><pre><code> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEABECAAYFAk9WSn0ACgkQpqzn7Jq4hlCfYACbBelTUtjOGAYrSBXEODD9Ukpo vuAAn2gLkGsGOntkUTERnISOyOoBJxlT =JxE7 -----END PGP SIGNATURE----- </code></pre><h5>Command sign an SPDX file</h5><pre><code> $ gpg --armor --output example.spdx.sign --detach-sig example.spdx</code></pre><h2>Advantages</h2><p>Detaching the signature in the SPDX file has several advantages.</p><ol><li><strong>Leverage Existing Tools: </strong>It allows underlying tools that are used to process the formats into which SPDX is normally encoded (RDF tools, Tag Tools, XML Tools, etc) to continue to function normally. </li><li><strong>Tooling Simplication: </strong>It makes tooling for SPDX easier because it allows issues of file authentication to be considered orthogonally from other issues. A tool maker who *just* wants to focus on processing SPDX data does not need to worry about knowing how to unpack a wrapper.</li><li><strong>Community Standard: </strong>It follows the convention already being followed by kernel.org, mavencentral, the apache foundation, and most packagers.</li></ol><h2>Disadvantages</h2><p>Detaching the signature in the SPDX file could lead to</p><ol><li><strong>Misplaced Signatures: </strong>Separation of the signature file from the SPDX file makes it possible for the signature to become separated from the SPDX file</li><li><strong>Signature Correlation: </strong>Separation of the signature file from the SPDX file introduces the need to correlate signature files with SPDX files.</li></ol><div><h2>Responses to Disadvantages</h2><ol><li><strong>Misplaced Signatures -- Existing Archive Formats: </strong>SPDX signature files can be passed along with SPDX data files by simple archiving in a common archive format like .zip, providing all of the benefits of inline signatures, while retaining the advantages of detached signatures. This solution is proposed in <a href="http://spdx.org/wiki/2012-mar-11-spdx-file-aggregation">Proposal 2012-Mar-11 SPDX File Aggregation</a></li><li><strong>Signature Correlation - Signature File Naming Convention: </strong>The SPDX signature file naming and placement conventions in the proposal eliminate concerns about correlation.</li></ol></div><h2>Compatibility</h2><p>This proposal will produce files that are trivially backwards compatible. Specifically a signed filed will be readable by SPDX-1.0 compliant consumers and any tool capable of reading it's underlying encoding format (RDF, XML, Tag). By making the issue of signing orthogonal, we maintain separation of concerns.</p><p> </p> |
Revision as of 01:27, 12 March 2012
Contents
Status
Draft
Issue
Currently there is no way to be sure that an SPDX file has not been modified by a third party after it was produced. See also, <a href="https://bugs.linuxfoundation.org/show_bug.cgi?id=980">issue 980</a>.
Proposal
Modify the spec to state that
- Signing Convention: SPDX producers may cryptographically sign SPDX files using the PGP detached signature format as specified in RFC 2440. This format does not modify the original SPDX, but rather creates a separate <filename>.sig or <filename>.sign file containing a signature for the original file.
- Signature File Naming Convention: The signature filename should be either <filename>.sig or <filename>.sign and be in the same directory as the SPDX file.
- Signature File Renaming: Renames of an SPDX file from <filename1> to <filename2> should also rename any <filename1>.sig or <filename1>.sign files to <filename2>.sig or <filename2>.sign respectively.
- Consumption Optional: SPDX consumers may accept or ignore SPDX signature files.
- Production Optional: SPDX producers would have the option of signing SPDX files but would not be required to do so.
Example
SPDX file
<code> SPDXVersion: SPDX-1.0 DataLicense: PDDL-1.0 Creator: Person: Ed Warnicke </code>
Signed SPDX file
<code> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEABECAAYFAk9WSn0ACgkQpqzn7Jq4hlCfYACbBelTUtjOGAYrSBXEODD9Ukpo vuAAn2gLkGsGOntkUTERnISOyOoBJxlT =JxE7 -----END PGP SIGNATURE----- </code>
Command sign an SPDX file
<code> $ gpg --armor --output example.spdx.sign --detach-sig example.spdx</code>
Advantages
Detaching the signature in the SPDX file has several advantages.
- Leverage Existing Tools: It allows underlying tools that are used to process the formats into which SPDX is normally encoded (RDF tools, Tag Tools, XML Tools, etc) to continue to function normally.
- Tooling Simplication: It makes tooling for SPDX easier because it allows issues of file authentication to be considered orthogonally from other issues. A tool maker who *just* wants to focus on processing SPDX data does not need to worry about knowing how to unpack a wrapper.
- Community Standard: It follows the convention already being followed by kernel.org, mavencentral, the apache foundation, and most packagers.
Disadvantages
Detaching the signature in the SPDX file could lead to
- Misplaced Signatures: Separation of the signature file from the SPDX file makes it possible for the signature to become separated from the SPDX file
- Signature Correlation: Separation of the signature file from the SPDX file introduces the need to correlate signature files with SPDX files.
Responses to Disadvantages
- Misplaced Signatures -- Existing Archive Formats: SPDX signature files can be passed along with SPDX data files by simple archiving in a common archive format like .zip, providing all of the benefits of inline signatures, while retaining the advantages of detached signatures. This solution is proposed in <a href="http://spdx.org/wiki/2012-mar-11-spdx-file-aggregation">Proposal 2012-Mar-11 SPDX File Aggregation</a>
- Signature Correlation - Signature File Naming Convention: The SPDX signature file naming and placement conventions in the proposal eliminate concerns about correlation.
Compatibility
This proposal will produce files that are trivially backwards compatible. Specifically a signed filed will be readable by SPDX-1.0 compliant consumers and any tool capable of reading it's underlying encoding format (RDF, XML, Tag). By making the issue of signing orthogonal, we maintain separation of concerns.