TerraFrost wrote:The private key, presumably, wouldn't be stored on the server but on the hard drives of various developers or Management Team members or whatever. Or maybe they could just be stored on USB sticks, or something, only plugged into a computer when needed. They'd also, in theory, be encrypted with a symmetric key algorithm as well. phpseclib supports private keys encrypted with DES and 3DES. PuTTY private keys support AES, as well.
nn- wrote:..., but please make this feature completely optional
nn- wrote:..., but either case is less secure than a properly configured environment where automatic updates are not possible.
bantu wrote:The package managers like those being used by Linux distributions basically work the same way and most people use those on a daily basis.
ToonArmy wrote:bantu wrote:The package managers like those being used by Linux distributions basically work the same way and most people use those on a daily basis.
But to run my package manager I become root, by default I don't have the appropriate access credentials to overwrite all the binaries on my system.
TerraFrost wrote:You'd have to do the same thing here, too. Provide FTP or SFTP login information. That's how Wordpress does it. What Wordpress doesn't do is signature verification, because there's no signature available nor is there an embedded public key.
TerraFrost wrote:Incidentally, I was thinking about the public key and... maybe it'd be best to use a pgp / gpg formatted public key. The advantage of that is that easily available command line tools can be used to generate signatures and verify signatures (if you don't want phpBB to auto-upgrade). The disadvantage is that no pure-PHP pgp / gpg parser exists. At least none that I know of. PEAR's Crypt_GPG uses proc_open() calls to the OS, which makes it rather non-portable.
A proprietary - unique to phpBB format - can be used, as well, however, you'd then have to use phpBB specific CLI tools to verify the signature via the command line. At least I know of no tool that supports base64 encoded raw RSASSA-PSS.
Users browsing this forum: EXreaction and 3 guests