package conex-mirage-crypto
Install
Dune Dependency
Authors
Maintainers
Sources
sha256=997966693236d1ab2930ff8bb24cce175e88279b99aaacd39fa022d5e45dd3b1
sha512=af207a3e6f35c81745d36fa8759846ed7ac357e9d8dfe0a7f3e0918e2a7f709d48d21ff15d6ee7b399a72c52d9c920cea478b1c7d7ad0d693637983f6dcb8033
Description
Conex is a system based on TUF to establish trust in community repositories. Since opam2, the required hooks are present.
This package uses the crypto primitives provided by mirage-crypto.
Published: 15 Mar 2020
README
Conex - establish trust in community repositories
v0.11.1
Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.
The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.
The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.
Project history
Spring 2017, together with Justin Cappos TAP 8 was designed which extends TUF with key rotation and explicit self-revocation.
Early 2017, a blog post introducing a prototype was published.
We presented an earlier design at OCaml 2016 about an earlier design.
Another article on an even earlier design (from 2015) is also available.
Installation
Conex release tarballs are accompanied with OpenPGP signatures in a separate .sig file in the download area.
opam instal conex
will install this library and tool, once you have installed OCaml (>= 4.05.0) and opam (>= 2.0.0beta).
A small test repository with two maintainers is available here including transcripts of how it was setup, and how to setup opams repo validation hook
.
Dependencies (13)
-
base64
>= "3.4.0"
- rresult
- fmt
- logs
-
x509
>= "0.10.0" & < "0.13.0"
-
mirage-crypto-rng
< "0.11.0"
-
mirage-crypto-pk
< "1.0.0"
-
mirage-crypto
< "1.0.0"
-
cstruct
>= "1.6.0"
-
conex
= version
- cmdliner
- dune
-
ocaml
>= "4.07.0"
Dev Dependencies (1)
-
alcotest
with-test
Used by
None
Conflicts
None