www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Anderson" <...@netspace.net.au>
Subject [proposal] signature artifact specifier v0.1
Date Thu, 20 Nov 2003 04:39:58 GMT
[not too happy with the terminology used here. Open
to suggestions]


This proposal extends the URI Syntax proposal:

Signature artifacts are artifacts used to verify the integrity
of another artifact. These include PGP/GPG signatures and keys, 
MD5 and SHA checksums.

The key aims of this proposal are to:
. formalise artifact-specifier for signature artifacts;
. provide a set of best practices for such artifacts; and
. enable tools to construct a URI to unambigously locate
  a particular signature artifact using a set of known

URI Components

An absolute repository URI is written as follows:
  repository-uri = access-specifier "/" product-specifier "/"
                   version-specifier "/" artifact-specifier

For signature artifacts, artifact-specifier is:
  artifact-specifier = signature-artifact-specifier
  signature-artifact-specifier = key-artifact | integrity-artifact

Key artifacts

For artifacts digitally signed using PGP/GPG, there is an associated
KEYS artifact.
  key-artifact = pgp-keys
  pgp-keys = "pgp/KEYS"


Integrity artifacts

Each artifact may have an associated integrity artifact:

  integrity-artifact = artifact-specifier "." sig-type
  sig-type = "pgp" | "md5" | "sha"

. pgp indicates the artifact was digitally signed using PGP/GPG
. md5 indicates an md5 checksum
. sha indicates a SHA checksum

  The artifact:

  may have integrity artifacts:


Integrity artifacts located alongside artifacts

This approach enables integrity artifacts to be 
located easily.

Tool support

Key artifacts

Tools can unambigously locate a key artifact given the
project-version URI and signature type.

E.g, given:
  uri = http://repo.apache.org/apache/ant/1.5.4/
  sig-type = "pgp"

The key artifact URI would be:
  uri = http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS

Integrity artifacts

Tools can unambigously locate an integrity artifact given
the repository URI of the associated artifact, and the signature

E.g, given:
  uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar 
  sig-type = "md5"

The integrity artifact URI would be:
  uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5

View raw message