From 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 17:09:28 -0400 Subject: developer keyring verification * gpg keyrings in /usr/share/debug-me/ will be checked to see if a connecting person is a known developer of software installed on the system, and so implicitly trusted already. Software packages/projects can install keyrings to that location. (Thanks to Sean Whitton for the idea.) * make install will install /usr/share/debug-me/debug-me_developer.gpg, which contains the key of Joey Hess. (stack and cabal installs don't include this file because they typically don't install system-wide) * debug-me.cabal: Added dependency on time. This commit was sponsored by Francois Marier on Patreon. --- debug-me.cabal | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'debug-me.cabal') diff --git a/debug-me.cabal b/debug-me.cabal index 10b184e..3750f00 100644 --- a/debug-me.cabal +++ b/debug-me.cabal @@ -20,13 +20,16 @@ Description: A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. + If you trust a developer to ship software to your computer, + you can trust them to debug-me. . When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who - has signed it. If the developer has a good reputation, you can proceed - to let them type into your console in a debug-me session. Once the - session is done, the debug-me server will email you the signed + has signed it, and will let you know if they are a known developer + of software on your computer. If the developer has a good reputation, + you can proceed to let them type into your console in a debug-me session. + Once the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. . If the developer did do something bad, you'd have proof that they cannot @@ -40,6 +43,7 @@ Extra-Source-Files: debug-me.service debug-me.init debug-me.default + developer-keyring.gpg Executable debug-me Main-Is: debug-me.hs @@ -81,6 +85,7 @@ Executable debug-me , utf8-string (>= 1.0) , network-uri (>= 2.6) , mime-mail (>= 0.4) + , time (>= 1.6) Other-Modules: ControlWindow ControlSocket @@ -90,6 +95,7 @@ Executable debug-me Graphviz Gpg Gpg.Wot + Gpg.Keyring Hash JSON Log @@ -109,6 +115,7 @@ Executable debug-me SessionID Types Val + Verify VirtualTerminal WebSockets -- cgit v1.2.3