Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hannesm/conex

establish trust in community repositories, cryptographically signed by library authors
https://github.com/hannesm/conex

conex cryptography ocaml opam package-manager trust

Last synced: 12 days ago
JSON representation

establish trust in community repositories, cryptographically signed by library authors

Host: GitHub
URL: https://github.com/hannesm/conex
Owner: hannesm
License: other
Created: 2015-11-08T22:48:42.000Z (about 9 years ago)
Default Branch: main
Last Pushed: 2024-10-14T08:17:35.000Z (30 days ago)
Last Synced: 2024-10-29T20:12:53.297Z (14 days ago)
Topics: conex, cryptography, ocaml, opam, package-manager, trust
Language: OCaml
Homepage:
Size: 1.43 MB
Stars: 34
Watchers: 11
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md
- Changelog: CHANGES.md
- License: LICENSE.md

Awesome Lists containing this project

README

        ## Conex - establish trust in community repositories

%%VERSION%%

Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on [the update framework](https://theupdateframework.github.io/), especially on their [CCS 2010 paper](https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf), and adapted to the requirements of the [opam](https://ocaml.opam.org) [repository](https://github.com/ocaml/opam-repository).

The developer sign their release checksums and build instructions.  A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation.  These repository maintainers are enrolled by a quorum of offline root keys.

The [TUF spec](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) has a good overview of attacks and threat model, both of which are shared by conex.

## Project history

Spring 2017, together with Justin Cappos [TAP 8](https://github.com/theupdateframework/taps/blob/master/tap8.md) was designed which extends TUF with key rotation and explicit self-revocation.

Early 2017, a [blog post](https://hannes.robur.coop/Posts/Conex) introducing a prototype was published.

We presented [an earlier design at OCaml 2016](https://github.com/hannesm/conex-paper/raw/master/paper.pdf) about an earlier design.

Another article on an [even earlier design (from 2015)](http://opam.ocaml.org/blog/Signing-the-opam-repository/) is also available.

## Installation

Conex release tarballs are accompanied with OpenPGP signatures in a separate .sig file in the download area.

`opam instal conex` will install this library and tool,

once you have installed OCaml (>= 4.13.0) and opam (>= 2.0.0beta).

A small test repository with two maintainers is available [here](https://github.com/hannesm/testrepo) including transcripts of how it was setup, and how to setup opams `repo validation hook`.