Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hannesm/conex
establish trust in community repositories, cryptographically signed by library authors
https://github.com/hannesm/conex
conex cryptography ocaml opam package-manager trust
Last synced: about 2 months ago
JSON representation
establish trust in community repositories, cryptographically signed by library authors
- Host: GitHub
- URL: https://github.com/hannesm/conex
- Owner: hannesm
- License: other
- Created: 2015-11-08T22:48:42.000Z (about 9 years ago)
- Default Branch: main
- Last Pushed: 2024-10-14T08:17:35.000Z (3 months ago)
- Last Synced: 2024-10-29T20:12:53.297Z (2 months ago)
- Topics: conex, cryptography, ocaml, opam, package-manager, trust
- Language: OCaml
- Homepage:
- Size: 1.43 MB
- Stars: 34
- Watchers: 11
- Forks: 2
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGES.md
- License: LICENSE.md
Awesome Lists containing this project
README
## Conex - establish trust in community repositories
%%VERSION%%
Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on [the update framework](https://theupdateframework.github.io/), especially on their [CCS 2010 paper](https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf), and adapted to the requirements of the [opam](https://ocaml.opam.org) [repository](https://github.com/ocaml/opam-repository).
The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.
The [TUF spec](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) has a good overview of attacks and threat model, both of which are shared by conex.
## Project history
Spring 2017, together with Justin Cappos [TAP 8](https://github.com/theupdateframework/taps/blob/master/tap8.md) was designed which extends TUF with key rotation and explicit self-revocation.
Early 2017, a [blog post](https://hannes.robur.coop/Posts/Conex) introducing a prototype was published.
We presented [an earlier design at OCaml 2016](https://github.com/hannesm/conex-paper/raw/master/paper.pdf) about an earlier design.
Another article on an [even earlier design (from 2015)](http://opam.ocaml.org/blog/Signing-the-opam-repository/) is also available.
## Installation
Conex release tarballs are accompanied with OpenPGP signatures in a separate .sig file in the download area.
`opam instal conex` will install this library and tool,
once you have installed OCaml (>= 4.13.0) and opam (>= 2.0.0beta).A small test repository with two maintainers is available [here](https://github.com/hannesm/testrepo) including transcripts of how it was setup, and how to setup opams `repo validation hook`.