[RFC] Secure Automatic Upgrades

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
TerraFrost
Former Team Member
Posts: 90
Joined: Wed Feb 09, 2005 12:21 am

Re: [RFC] Secure Automatic Upgrades

Post by TerraFrost » Wed Mar 10, 2010 11:44 pm

ToonArmy wrote:
TerraFrost wrote:Incidentally, I was thinking about the public key and... maybe it'd be best to use a pgp / gpg formatted public key. The advantage of that is that easily available command line tools can be used to generate signatures and verify signatures (if you don't want phpBB to auto-upgrade). The disadvantage is that no pure-PHP pgp / gpg parser exists. At least none that I know of. PEAR's Crypt_GPG uses proc_open() calls to the OS, which makes it rather non-portable.

A proprietary - unique to phpBB format - can be used, as well, however, you'd then have to use phpBB specific CLI tools to verify the signature via the command line. At least I know of no tool that supports base64 encoded raw RSASSA-PSS.
I was thinking about this as well, I'd much prefer a GPG based solution but obviously a pure PHP implementation of signature verification would be required.
I actually don't think a pure PHP implementation is going to be a problem - it's just a matter of time. I haven't read the RFC, so obviously I'm just guessing here, but maybe I could do it in a month? Of course, at the moment, I'm more interested in doing phpBB 3.1 stuff, so I'll hold off on OpenPGP for now.

User avatar
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [RFC] Secure Automatic Upgrades

Post by ToonArmy » Wed Mar 10, 2010 11:46 pm

TerraFrost wrote:I actually don't think a pure PHP implementation is going to be a problem - it's just a matter of time. I haven't read the RFC, so obviously I'm just guessing here, but maybe I could do it in a month? Of course, at the moment, I'm more interested in doing phpBB 3.1 stuff, so I'll hold off on OpenPGP for now.
If you could that'd be brilliant, I'm sure a lot of people would be appreciative as well.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

Post Reply