Sign flists

[rkhamis]

Issue migrated from https://api.github.com/repos/zero-os/0-hub/issues/6, opened by @yveskerwyn

In order to prevent attackers to publish infected flist Dbs

Signed FlistDBs are more secure, trustworthy

We should support this from day one... Docker only introduced this feature with Docker Content Trust later, it automatically signs and verifies the signature of a publisher.

Also the Docker alternative rkt has this capability since inception, signature verification is done by default.

[rkhamis]

commented by @zaibon
Who is going to verify the flists ?

[rkhamis]

commented by @grimpy
@zaibon can't we just add GPG signatures?
So its verified the owner did it

[rkhamis]

commented by @zaibon
OK I misunderstood the point here. I though the point was to verify the content of the flist to see if nothing fishy was put inside.
But if just we want to be able to verify integrity after download, I guess GPG is a good solution

[rkhamis]

commented by @maxux
That's why we have « official » repository (cf. https://staging.hub.gig.tech:4430/).
I think only official repositories can be trusted, the others contains flist « as it », and you should be careful with them.