Skip to content

Added option to skip signature verification #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added option to skip signature verification #356

wants to merge 1 commit into from

Conversation

@ricardoboss
Copy link

@ricardoboss ricardoboss commented Jan 19, 2022

My use case for this is running phive in a CI pipeline. I want to be able to install PHARs without user interaction and with already known versions.

@theseer
Copy link
Member

theseer commented Jan 19, 2022

I'm not convinced I like this option. Let me try to explain:

  • While in the end it of course is the user's/admin's choice, generally offering a means to do insecure things should be avoided
  • The very purpose of phive is to download and verify the signatures before using things
  • It appears to me that your main reason for this change is a lack of a means to interactively confirm a key rather than really wanting to skip the verification
    • If that is correct:
      • For the time being, you could be using --trust-gpg-keys and list the trusted key-ids or fingerprints
      • You could also keep the ~/.phive directory with a previously loaded gpg key ring, containing all trusted key
      • In the hopefully not so distant future, trusted keys can and should be configurable with phive

@ricardoboss
Copy link
Author

ricardoboss commented Jan 19, 2022
edited
Loading

I understand and support your position. On the other hand, I also think it is more important to leave the choice to the user.

My current solution is to add trusted keys via --trust-gpg-keys, but this isn't a long term solution. Checking in ~/.phive with already trusted keys sounds like a reasonable solution.

Anyhow, I think this flag should exist, just in case one quickly needs to test something without user interaction. I'd rather have the choice than being constrained by my tools for "security reasons".

@ricardoboss
Copy link
Author

ricardoboss commented Jan 19, 2022

I'd also be in for a refactoring (something along the lines of --skip-key-verification-yes-i-know-what-im-doing) and/or a warning message being emitted to draw attention to the fact that what the user is doing could be a bad idea.

@theseer
Copy link
Member

theseer commented Jan 19, 2022

I'll think about it some more :) Appreciate the work either way!

@ricardoboss
Copy link
Author

ricardoboss commented Oct 22, 2022

@theseer Hi, I'm currently looking through my open PRs. Have you thought about it yet? :)

@theseer
Copy link
Member

theseer commented Nov 8, 2022

I'll try to work on phive in the upcoming days, so i'll give more feedback asap.

@ricardoboss
Copy link
Author

ricardoboss commented Feb 21, 2023

Het @theseer, how's it going? Any news what will happen with this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ricardoboss @theseer