On Mon, Jan 13, 2025 at 02:49:37PM +0100, Niels Möller wrote:
Simon Josefsson simon@josefsson.org writes:
I believe you can still provide a builtin default-policy, if you want to, by including a default trust policy together with sigsum-verify, and have the installation process put that in the right place so the tool finds it automatically.
If the install process is `go install sigsum.org/sigsum-go@vx.y.z` I don't think there's any way to get auxilliary files installed?
One could potentially embed the data (or hash of data + url) in some executable, but not use that directly. But have users do something like
This is how I thought Go's tool chain works when changing version, e.g., something like this:
go install golang.org/dl/go1.22.0@latest go1.22.0 download
And I expected that the "downloader program" would know the hash of what it downloads and installs. But it seems it just reads the .sha256 file?
https://cs.opensource.google/go/dl/+/master:internal/version/version.go;l=14...
I'm probably missing something obvious.
But I think you're right that it would be possible to create an installer that knows how to install the tools and associated policies.
`go run sigsum.org/sigsum-go/cmd/sigsum-install@vx.y.z ...` to install default policies somewhere in /etc or $HOME, depending on privileges and command line arguments.
Or we could try to discourage this way of using te go tools to isntall sigsum (and instead advertise some method that verifies our release signatures), but I suspect that will be a bit futile.
Agreed.
-Rasmus