Roadmap to GPG verification

[tapeinosyne]

As per #4688 and #4848, we intend to support GPG verification of cask packages in the form of an optional gpg stanza. This issue tracks the prerequisites of a working implementation. (Other relevant issues are #164, #1824.)

For those unfamiliar, GPG can verify the authenticity of a package, given:

• a file signature, offered by the package author, generally as a downloadable .sig or .asc file;
• a gpg key, either as a short-hand ID, or a downloadable .asc file.

To satisfy the requirements of GPG, it is necessary to download and store files which are not closely tied to our url stanza. As we lack such functionality, some work beyond gpg proper is required.

• Metadata (Store metadata with installed Casks. #3066 Metadata directory support #6117)
  • Fetch and store the signature in a persistent folder/file, which should not be deleted if install fails.
• Review Cask::DSL::Gpg (Revise gpg stanza order and parameters #5975)
  I would suggest to define the stanza as gpg 'signature url', :key_type => 'key_value', which is shorter and arguably clearer than what we defined in DSL: add gpg stanza #4848.
• GPG ops (Introduce GPG operations #6184)
  • retrieve key from ID, or fetch from url;
  • verify package.
• GPG interfaces
  • core: wrap success/failure states, etc.
  • user-level: inform of gpg operations at install time.
• Tests
• Docs
• Add GPG stanza to compatible casks (Add gpg stanza to compatible casks #6185)
• Optionally, decouple checksum from Cask::Download (Separate the Ruby backend from internal Homebrew dependencies #5080)
  Verification of integrity (via SHA-256) and authenticity (via GPG) could be moved to a dedicated module/class.
• Optionally, add generic download commands (Separate the Ruby backend from internal Homebrew dependencies #5080)
  It might be desirable to introduce download methods which are not specific to cask url.

@caskroom/maintainers, I would appreciate feedback, particularly on the optional items which pertain to Cask's Ruby internals.

[rolandwalker]

Since we aren't ready to merge #3066, I will split out just the metadata directory into a separate PR. It also has to be changed not to delete the entire .metadata folder on failure.

Refactoring checksums and downloads are both needed from the point of view of #5080.

[olbrew]

Will this also work with GPG2? I only have that one installed as that is the recommended version on the desktop.

[hellais]

From looking at all the related tickets, it seems like it has been decided that this should not be implemented.

Could somebody provide some background as to why it has been decided to drop this support for this?

cc @reitermarkus

[vitorgalvao]

Could somebody provide some background as to why it has been decided to drop this support for this?

Homebrew/brew#4120. Start at Homebrew/brew#4120 (comment).