Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ropensci-archive/notary

:no_entry: ARCHIVED :no_entry: Signing and Verification of R Packages
https://github.com/ropensci-archive/notary

r r-package rstats unconf unconf17

Last synced: 3 months ago
JSON representation

:no_entry: ARCHIVED :no_entry: Signing and Verification of R Packages

Host: GitHub
URL: https://github.com/ropensci-archive/notary
Owner: ropensci-archive
License: other
Archived: true
Created: 2017-05-25T17:23:28.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2022-05-10T13:58:50.000Z (over 2 years ago)
Last Synced: 2024-05-21T02:54:29.875Z (6 months ago)
Topics: r, r-package, rstats, unconf, unconf17
Language: R
Homepage:
Size: 16.4 MB
Stars: 47
Watchers: 6
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README-NOT.md
- License: LICENSE

Awesome Lists containing this project

jimsghstars - ropensci-archive/notary - :no_entry: ARCHIVED :no_entry: Signing and Verification of R Packages (R)

README

[![Project Status: Abandoned – Initial development has started, but there has not yet been a stable, usable release; the project has been abandoned and the author(s) do not intend on continuing development.](https://www.repostatus.org/badges/latest/abandoned.svg)](https://www.repostatus.org/#abandoned)

### Problems

![](img/problems.png)

### Solutions (current)

**GitHub**

- Only install signed releases
- Verify release signatures

**CRAN**

- Reimagining integrity mirror integrity

[![Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public.](http://www.repostatus.org/badges/latest/wip.svg)](http://www.repostatus.org/#wip) [![Travis-CI Build Status](https://travis-ci.org/ropenscilabs/notary.svg?branch=master)](https://travis-ci.org/ropenscilabs/notary) [![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/github/ropenscilabs/notary?branch=master&svg=true)](https://ci.appveyor.com/project/jeroen/notary)

`notary` : Signing and Verification of R Packages

### Methods

More for users:

CRAN-ish

- `install_packages`: Install and verify packages
- `download_packages`: Download and verify packages
- `available_packages`: Download and verify package indices

GitHub-ish

- `install_release`: Validate that the current GitHub release is GPG signed and install it if so
- `validate_release`: Validate that the current GitHub release is GPG signed
- `retrieve_release_signature`: Retrieve the GitHub signing information for the latest release of a package
- `get_tags`: Retrieve a data frame of GitHub package tag (release) info

`source()`-ish

- `source_safe_sign`: Source a file with verification
- `sys_source_safe_sign`: Source a file with verification

More for plumbers:

- `package_index_prepare`: Prepare a package index

### The Book of R \[Security\]

### A gif is worth a thousand words

![](img/smaller.gif)

### Usage

``` r
library(notary)
library(tidyverse)
```

``` r
validate_release("hrbrmstr/hrbrthemes")
## Repo/Package: hrbrmstr/hrbrthemes (v0.3.0)
## Committer: Bob Rudis
## GitHub Verified: TRUE
## GPG Fingerprint: 3773E53B2013A722FA67C6F02A514A4997464560
## Trusted peer: TRUE
## Timestamp: 2017-05-10 11:15:21
## Algorithm: RSA + SHA256

validate_release("ironholds/rgeolocate")
## Repo/Package: ironholds/rgeolocate (0.8.0)
## Committer: Oliver Keyes
## GitHub Verified: FALSE
## GPG Fingerprint:
## Trusted peer:
## Timestamp:
## Algorithm: +

retrieve_release_signature("hrbrmstr/ggalt")
## Latest release is not signed or has not been verified
## NULL

glimpse(get_tags("hrbrmstr/hrbrthemes"))
## Observations: 2
## Variables: 9
## $ user "hrbrmstr", "hrbrmstr"
## $ repo "hrbrthemes", "hrbrthemes"
## $ tag "v0.3.0", "v0.1.0"
## $ committer "Bob Rudis", "boB Rudis"
## $ committer_email "[email protected]", "[email protected]"
## $ verified TRUE, FALSE
## $ reason "-----BEGIN PGP SIGNATURE-----\n\niQIcBAABCAAGBQJZE1i5AAoJECpRSkmXRkVgYzAP/je9bp3imLA9LZPOF...
## $ signature "-----BEGIN PGP SIGNATURE-----\n\niQIcBAABCAAGBQJZE1i5AAoJECpRSkmXRkVgYzAP/je9bp3imLA9LZPOF...
## $ payload "tree d2959bd73ad3af822e7370553242fbf045438e8d\nparent 52539bf3dc91776c8cb988efdca6565b8b69...

get_tags("tidyverse/dplyr")
## # A tibble: 14 x 9
## user repo tag committer committer_email verified reason signature payload
##
## 1 tidyverse dplyr v0.6.0-rc hadley [email protected] FALSE
## 2 tidyverse dplyr v0.5.0 hadley [email protected] FALSE
## 3 tidyverse dplyr v0.4.3 Romain Francois [email protected] FALSE
## 4 tidyverse dplyr v0.4.2 hadley [email protected] FALSE
## 5 tidyverse dplyr v0.4.1 hadley [email protected] FALSE
## 6 tidyverse dplyr v0.4.0 hadley [email protected] FALSE
## 7 tidyverse dplyr v0.3.0.1 Hadley Wickham [email protected] FALSE
## 8 tidyverse dplyr v0.3 hadley [email protected] FALSE
## 9 tidyverse dplyr v0.2.0 hadley [email protected] FALSE
## 10 tidyverse dplyr v0.1.3 hadley [email protected] FALSE
## 11 tidyverse dplyr v0.1.2 hadley [email protected] FALSE
## 12 tidyverse dplyr v0.1.2-cran-rc hadley [email protected] FALSE
## 13 tidyverse dplyr v0.1.1 Romain François [email protected] FALSE
## 14 tidyverse dplyr v0.1 hadley [email protected] FALSE
```

### Code of Coduct

Please note that this project is released with a [Contributor Code of Conduct](CONDUCT.md). By participating in this project you agree to abide by its terms.