[systemd-devel] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?

Lennart Poettering lennart at poettering.net
Thu Dec 10 10:13:44 UTC 2020


On Do, 10.12.20 10:58, Arian Van Putten (arian at wire.com) wrote:

>  I think it's an excellent idea.
>
> Question:  Currently systemd-importd still has an indirect dependency on
> libgcrypt through it depending on the gnupg binary for signatures.
> Would it maybe be an idea to add support for other signature schemes to
> importd that can be directly implemented with openssl?

Yes, ed25519 sounds like an excellent choice.

systemd-homed exclusively signs its user records with ed25519 btw.

> A good start would be to support PKCS#7 signatures.    But we could also
> opt for something more simple akin to OpenBSD signify (A simple ed25519
> signature over a hash).

The kernel supports validating dm-verity images with PKCS#7 hashes,
which we support in RootHashSignature= in unit files. (These are
signatures of the root hash of the dm-verity Merkle tree, not
signatures of the image as a whole, though).

> I personally work around this by having built https://ruuda.github.io/tako/
> with a colleague which I use to download and verify nspawn container
> images. But it would be cool if importd could natively support signature
> checking with other backends than GnuPG.

I am totally on board with this. Both ed25519 and PKCS#7 appear a
million times better than gpg for things like this. We have code for
both already in place in one form or another.

I'd be fine supporting both for importd. I am not a fan of gpg, and
would much rather have everyone use either ed25519 or PKCS#7 for this.

Looking forward to your patches ;-)

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list