package conex

  1. Overview
  2. Docs
Establish trust in community repositories

Install

Dune Dependency

Authors

Maintainers

Sources

conex-0.10.0.tbz
sha256=536163045d3624009c4a2ec678a1b531be9485db233f5db43613b3809180a1a9
md5=39cdb4e3a550703e61b2f56d20323fdd

Description

Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.

The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.

The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.

Published: 04 Sep 2018

README

Conex - establish trust in community repositories

0.10.0

Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.

The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.

The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.

Project history

Spring 2017, together with Justin Cappos TAP 8 was designed which extends TUF with key rotation and explicit self-revocation.

Early 2017, a blog post introducing a prototype was published.

We presented an earlier design at OCaml 2016 about an earlier design.

Another article on an even earlier design (from 2015) is also available.

Installation

opam instal conex will install this library and tool, once you have installed OCaml (>= 4.03.0) and opam (>= 2.0.0beta).

A small test repository with two maintainers is available here including transcripts of how it was setup, and how to setup opams repo validation hook.

Dependencies (4)

  1. opam-file-format >= "2.0.0~rc2"
  2. cmdliner
  3. dune
  4. ocaml >= "4.03.0" & < "5.0.0"

Dev Dependencies

None

Used by (1)

  1. conex-nocrypto < "0.10.1"

Conflicts

None

OCaml

Innovation. Community. Security.