zign-tools

zign-tools is a suite of tools, targeted at 2 groups of people:

Software Developers

zign-tools allows software developers to cryptographically sign the source code in their project, to provide some degree of assurance that it hasn't been tampered with.

People who install software from source code

zign-tools allows you to verify that the software you download hasn't been tampered with, was last modified by a trusted person, and that there hasn't been any errors in downloading the code.

The Problem

When you need to install software that comes in source code form, how do you know that it's safe to install? How do you know that someone hasn't inserted a trojan? How do you know there were no errors during transmission? during packaging?

You don't.

But if each source file was individually cryptographically signed using a PGP key, and you can trust that the key used for signing was the key belonging to the original developer, would you feel more comfortable installing that software?

Yes, you would.

That's what zign-tools provides. A way for developers to say that this is the kosher version of software they are releasing, and a way for end-users to verify that this the case.

When you install binary software packages we already have mechanisms to do this sort of verification. Debian, Red Hat, SuSE, and Ubuntu all sign their software packages - and so do Apple and Microsoft. But no-one has addressed this from a source-code perspective, which is very important for the open-source and free software community.

How it works

TBD - when I get time I'll document the process. Right now, think GPG signing multiple hashes of the source file and appending that as a comment. Then using the GPG chain-of-trust to verify that the person who signed the source file is a friend-of-a-friend-of-a-friend etc.

And expanding further into zigning whole directories full of multiple language files, and doing a similar verification.

Status

February 2007 - 0.0.1 - Initial Release
March 2007 - 0.0.4 - Initial working Release (thanks James!) - now working on Linux & Mac OS X
January 2008 - 0.9.0 - Good enough to open respoitory to the world :-)

Future functionality:

GUI front end tool.
speed improvements
python distutils
MacOSX / FreeBSD Port/Document
Integration into Mozilla so that web pages can be zigned and verified.

Licence

GPLv2, of course!

Talks

I introduced zign at linux.conf.au 2008 at the Security MiniConf. Here is the set of slides.

Development

Development occurs in bzr. Known branches are:

http://michaeldavies.org/software/zign-tools/zign.head - "head"/"mainline"/"trunk" - the official stable branch
TBA - James' working branch (let me know James when this can go live :-)

Releases

None, yet.

Michael Davies, 27 January 2008.