PackageManagerRFC icon indicating copy to clipboard operation
PackageManagerRFC copied to clipboard
verified publisher icon DelphiPackageManager

Package Signing

Open vincentparrett opened this issue 6 years ago • 4 comments

Package Authors will be able to cryptographically sign their packages, such that the authenticity and integrity of the package can be verified.

The mechnism for this has not been determined yet, this is something that nuget introduced recently,

This is really only practical once we have a public package registry up and running.

vincentparrett avatar Feb 14 '19 06:02 vincentparrett

Utilize GPG to sign the packages as we do with Debian Linux packages? Maybe interface with keybase.io?

code-kungfu avatar Feb 15 '19 03:02 code-kungfu

@code-kungfu something like that. I'm leaning towards code signing like Nuget does

https://docs.microsoft.com/en-us/nuget/reference/signed-packages-reference

vincentparrett avatar Feb 15 '19 04:02 vincentparrett

X.509 in Delphi? Can anyone suggest any open source library for Delphi which is supporting this? Capicom has been declared as deprecated (supports only 32 bit version)

bogdanpolak avatar Feb 16 '19 16:02 bogdanpolak

There are native windows api's for x.509, however I've not used them in Delphi.

https://docs.microsoft.com/en-au/windows/desktop/api/wincrypt/

vincentparrett avatar Feb 16 '19 23:02 vincentparrett