www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Anderson" <...@netspace.net.au>
Subject [proposal] signature artifact specifier v0.1
Date Thu, 20 Nov 2003 04:39:58 GMT
[not too happy with the terminology used here. Open
to suggestions]

Overview
========

This proposal extends the URI Syntax proposal:
  http://nagoya.apache.org/wiki/apachewiki.cgi?ASFRepository/URISyntax

Signature artifacts are artifacts used to verify the integrity
of another artifact. These include PGP/GPG signatures and keys, 
MD5 and SHA checksums.

The key aims of this proposal are to:
. formalise artifact-specifier for signature artifacts;
. provide a set of best practices for such artifacts; and
. enable tools to construct a URI to unambigously locate
  a particular signature artifact using a set of known
  criteria

URI Components
==============

An absolute repository URI is written as follows:
  repository-uri = access-specifier "/" product-specifier "/"
                   version-specifier "/" artifact-specifier

For signature artifacts, artifact-specifier is:
  artifact-specifier = signature-artifact-specifier
  signature-artifact-specifier = key-artifact | integrity-artifact

Key artifacts
-------------

For artifacts digitally signed using PGP/GPG, there is an associated
KEYS artifact.
  key-artifact = pgp-keys
  pgp-keys = "pgp/KEYS"

E.g:
  http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS

Integrity artifacts
-------------------

Each artifact may have an associated integrity artifact:

  integrity-artifact = artifact-specifier "." sig-type
  sig-type = "pgp" | "md5" | "sha"

Where:
. pgp indicates the artifact was digitally signed using PGP/GPG
. md5 indicates an md5 checksum
. sha indicates a SHA checksum

E.g: 
  The artifact:
    http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar  

  may have integrity artifacts:
    http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5
    http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.pgp
    http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.sha


Rationale
=========

Integrity artifacts located alongside artifacts
-----------------------------------------------

This approach enables integrity artifacts to be 
located easily.


Tool support
============

Key artifacts
-------------

Tools can unambigously locate a key artifact given the
project-version URI and signature type.

E.g, given:
  uri = http://repo.apache.org/apache/ant/1.5.4/
  sig-type = "pgp"

The key artifact URI would be:
  uri = http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS

Integrity artifacts
-------------------

Tools can unambigously locate an integrity artifact given
the repository URI of the associated artifact, and the signature
type.

E.g, given:
  uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar 
  sig-type = "md5"

The integrity artifact URI would be:
  uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5



Mime
View raw message