conex-nocrypto

Establish trust in community repositories
Description

Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.

The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.

The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.

Install
Published
09 Sep 2018
Authors
Maintainers
Sources
conex-0.10.1.tbz
md5=1e09e8e28c4b26d5a22b3a5afd1fdc5c
Dependencies
x509 >= "0.4.0" & < "0.7.0"
nocrypto >= "0.5.4"
cstruct >= "1.6.0" & < "5.0.0"
conex = version
alcotest with-test
ocaml >= "4.03.0"
Reverse Dependencies