ToonArmy wrote:TerraFrost wrote:Incidentally, I was thinking about the public key and... maybe it'd be best to use a pgp / gpg formatted public key. The advantage of that is that easily available command line tools can be used to generate signatures and verify signatures (if you don't want phpBB to auto-upgrade). The disadvantage is that no pure-PHP pgp / gpg parser exists. At least none that I know of. PEAR's Crypt_GPG uses proc_open() calls to the OS, which makes it rather non-portable.
A proprietary - unique to phpBB format - can be used, as well, however, you'd then have to use phpBB specific CLI tools to verify the signature via the command line. At least I know of no tool that supports base64 encoded raw RSASSA-PSS.
I was thinking about this as well, I'd
much prefer a GPG based solution but obviously a pure PHP implementation of signature verification would be required.
I actually don't think a pure PHP implementation is going to be a problem - it's just a matter of time. I haven't read
the RFC, so obviously I'm just guessing here, but maybe I could do it in a month? Of course, at the moment, I'm more interested in doing phpBB 3.1 stuff, so I'll hold off on OpenPGP for now.