Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rewrite update.go & signer.go to use more userfriendly signing process #311

Open
ZyanKLee opened this issue Jun 2, 2022 · 3 comments
Open

rewrite update.go & signer.go to use more userfriendly signing process #311

ZyanKLee opened this issue Jun 2, 2022 · 3 comments
Assignees
@ZyanKLee
Labels
go Pull requests that update Go code refactoring Rewriting or improving existing behaviour

Comments

@ZyanKLee
Copy link
Contributor

ZyanKLee commented Jun 2, 2022
edited
Loading

Replace custom signing process in scripts/signer.go and update.go with well established format. Maybe even replace scripts/signer.go with the corresponding cli in the Makefile and implement verification in update.go

See #310 for example of why the current process is not optimal since the existance of the signature file is now more apparent.
@ZyanKLee ZyanKLee self-assigned this Jun 2, 2022
@ZyanKLee ZyanKLee changed the title rewrite signer.org to use gpg rewrite signer.go to use gpg Jun 2, 2022
@ZyanKLee ZyanKLee changed the title rewrite signer.go to use gpg rewrite update.go & signer.go to use gpg Jun 2, 2022
@ZyanKLee ZyanKLee changed the title rewrite update.go & signer.go to use gpg rewrite update.go & signer.go to use more userfriendly signing process Jun 2, 2022
@ZyanKLee
Copy link
Contributor Author

ZyanKLee commented Jun 2, 2022

Just found golang/go#44226 which sadly states that the usage of the openpgp module for go is discouraged. Will need to look a little deeper into the matter and search for alternatives or even just a change in naming so it is more obvious how to use the signature.

@ZyanKLee ZyanKLee added refactoring Rewriting or improving existing behaviour go Pull requests that update Go code labels Jun 2, 2022
@ZyanKLee
Copy link
Contributor Author

ZyanKLee commented Jun 2, 2022

Perhaps this can even be solved by documentation.
openssl/openssl#6988 (comment)

@Technetium1 Technetium1 mentioned this issue Jun 2, 2022
Closed
4 tasks
@AXDOOMER
Copy link
Collaborator

AXDOOMER commented Jun 4, 2022

I found a solution which I think it's great.

I was looking at crypto libs and stumbled upon the Ethereum cryptographic algorithms for Go.

Repo: https://github.com/ethereum/go-ethereum

It's actively maintained. I found another replacement, but this one wasn't. So I suggest we avoid using PGP or GPG and go for ECDSA. There is a good article explaining how to implement it online and I'd like to implement it if we go forward with this solution. I believe it's a good choice: If it wasn't, lots of people would be at risk of losing lots of money.

I found that it also implements Ed25519, which according to this article is more secure. This is the algorithm we currently use. I also suggest we could pick this one to make things easier. Both algorithms bring good levels of security.

In case there are any incompatibilities, the current verification scheme and the new one could cohabit for a few months while people update their version of NoiseTorch. This will avoid new issues like #319. If we have to go this way, a message telling users to update as soon as possible should be displayed.

The latest release of Go allows to run .go files as scripts, for example go script signature.go noisetorchbinarypath which should be user friendly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ZyanKLee ZyanKLee

Labels
go Pull requests that update Go code refactoring Rewriting or improving existing behaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ZyanKLee @AXDOOMER