package conex

You can search for identifiers within the package.

in-package search v0.2.0

On This Page

Project history
Installation

package conex

conex
- CHANGES
- LICENSE
- README
- Library conex
  - Conex
    
    Make
  - Conex_diff
  - Conex_diff_provider
  - Conex_io
  - Conex_opam_encoding
  - Conex_private
    
    S
    
    FS
    
    S_RSA_BACK
    
    Make
  - Conex_repository
  - Conex_resource
    
    Wire
    
    Header
    
    Digest
    
    Digest_map
    
    Key
    
    Signature
    
    Expression
    
    KS
    
    Root
    
    Delegation
    
    Target
    
    Targets
  - Conex_utils
    
    S
    
    M
    
    String
    
    Uint
    
    Uint_map
    
    LOGS
    
    Tag
    
    Tree
  - Conex_verify
    
    S
    
    S_RSA_BACK
    
    Make
- Library conex.openssl
  - Conex_openssl
    
    V
    
    O_V
- Library conex.unix
- Sources
  - conex
    
    conex.ml
    
    conex_diff.ml
    
    conex_diff_provider.ml
    
    conex_io.ml
    
    conex_opam_encoding.ml
    
    conex_private.ml
    
    conex_repository.ml
    
    conex_resource.ml
    
    conex_utils.ml
    
    conex_verify.ml
  - conex.openssl
    
    conex_openssl.ml
  - conex.unix
    
    conex_unix_persistency.ml
    
    conex_unix_private_key.ml
    
    conex_unix_provider.ml

Legend:
Page
Library
Module
Module type
Parameter
Class
Class type
Source

Conex - establish trust in community repositories

v0.11.1

Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.

The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.

The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.

Project history

Spring 2017, together with Justin Cappos TAP 8 was designed which extends TUF with key rotation and explicit self-revocation.

Early 2017, a blog post introducing a prototype was published.

We presented an earlier design at OCaml 2016 about an earlier design.

Another article on an even earlier design (from 2015) is also available.

Installation

Conex release tarballs are accompanied with OpenPGP signatures in a separate .sig file in the download area.

opam instal conex will install this library and tool, once you have installed OCaml (>= 4.05.0) and opam (>= 2.0.0beta).

A small test repository with two maintainers is available here including transcripts of how it was setup, and how to setup opams repo validation hook.