PGP signing support #11
Conversation
Some PGP clients can't treat lines longer than 20000 characters
|
API signing fully implemented and working as expected. |
|
It seems to me like the mod uploader and approver signing the mod is a lot more important than the server signing it. Also, what's the point in the server signing the mod, especially if it's signed before it's approved? |
|
The idea came from a PR that I made to the mod installer to allow mirrors. The problem was that a mirror could easily change what was being downloaded. |
Some PGP clients can't treat lines longer than 20000 characters
|
If we're taking this approach, we should probably add a timestamp or expiration to the response. |
|
The |
|
|
|
My bad, I thought you were signing the metadata. |
|
Looks good to me then 👍 |
Automatically create a detached PGP signature for every uploaded mod.
This is meant to increase security, remove the need for hashes, and permit the creation of mirrors. The detached key is really small and the signature generation delay is barely noticeable.
A few things are needed for it to work :
keys/privkey.ascfile)PASSPHRASEenvironment variable)The key can be generated using any tool that follows the OpenPGP standard or by running
keygenwith npm.(I'm working on client side integration and on a tool to create mirrors automatically.)
Edit :
Acessing the API using
/api/v1/pgpmodinstead of/api/v1/modreturns a PGP cleartext signed message instead of plain JSON./api/v1/pgpmodonly supports listing mods./api/v1/modnow support thepgpquery parameter, which returns a signed cleartext message instead of plain JSON (ie.https://beatmods.com/api/v1/mod?status=approved&pgp