Comments (5)
- Singing of artifacts should be processed using owner private key. Only user have this key. If we are planning sing artifacts, it should be implemented on user side. After that user should upload file and signature to gorjun.
- Another option is sing all artifact using gorjun node key. It will just allow to validate that file was downloaded from gorjun CDN and it's valid.
@tzununbekov @akarasulu @dilshat
from cdn.
Ask user to sign artifacts before upload is extremely unfriendly way I think, meanwhile signing file with our own key allow us to validate only file integrity but not the ownership and using signatures is overkill for this purpose
In my point of view, we should think about two things:
- using browser plugin for signing artifacts
- need to figure out how those artifacts will be created and, if possible, add signing mechanism to generation step. Since for deb and raw files signatures are useless, we need to think how user will create custom template before uploading
Need to thoroughly discuss this topic all together
from cdn.
@soffokl The second option is not sufficient to authenticate the artifact. It just verifies that the artifact was transferred without tampering from the CDN->User. The first option handles the full path Owner->CDN->User. @tzununbekov has the right idea here to use the e2e plugin. More thoughts below ...
We can implement the first option easily. The signatures are applied to the file's checksum right? So before uploading an artifact, the application (SS, Hub) should require the owner/uploader to sign the checksum. I think this can be delegated to the e2e plugin to handle in both UI's. It's being done now already for signing various documents. It would be very easy to do this.
SS and the Hub should support automated via e2e plugin and manual mechanisms to produce and upload the signature into the CDN.
Subos will need to simply pull down the artifact and it's signature then verify the signature against the public key of the owner to authenticate the artifact.
Does this clarify?
from cdn.
@akarasulu yes, this clarifies lots of questions
In described workflow we should include @dilshat and @samsonbek to assist with e2e integration from SS and Hub sides
As I see it now, we'll need to add one additional step for both - upload and import operations: signing hash during upload from Hub and checking signature while importing to SS
I'll review kurjun and subos source code to recall current algorithm and to prepare changes
from cdn.
Merged in production
from cdn.
Related Issues (20)
- Move functions to a refactored CDN
- Fix missing BP icons on CDN HOT 2
- Implement unit tests on refactored CDN
- Fix the filter by name on CDN page HOT 2
- Add verified parameter to list HOT 3
- Increase test coverage of retrieve.go to 100%
- Increase test coverage of server/app/upload.go to 100% HOT 1
- Write script for checking if all files are that are present in ../repo/list exist in file system on all CDNs HOT 1
- Add new-formatted Download callback
- Add a Delete functionality in refactored CDN
- Transfer Authorization functions to refactored CDN
- Transfer Share function to refactored CDN
- Can't see Packages file on CDN
- Storm ORM Integration: PrepareQuery HOT 1
- Storm ORM Integration: GetFileInfo HOT 1
- Storm ORM Integration: GetUserInfo HOT 1
- Storm ORM Integration: DeleteFile HOT 1
- Storm ORM Integration: GetToken HOT 1
- Storm ORM Integration: ShareFile HOT 1
- Storm ORM Integration: ConvertFiletoOld HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cdn.