Using PGP keys to sign documents, helpful for needauth converters?

Richard Kimberly Heck rikiheck at lyx.org
Mon Jul 6 18:30:57 UTC 2020


On 7/6/20 1:44 PM, Scott Kostyshak wrote:
> On Mon, Jul 06, 2020 at 11:40:57AM -0400, Richard Kimberly Heck wrote:
>> On 7/6/20 11:20 AM, Scott Kostyshak wrote:
>>> Suppose I have a document that needs a needauth converter (e.g., knitr).
>>> Currently, I need to authorize each document, and then the document path
>>> is stored in the session file (under "auth files"). I like this, and it
>>> makes me feel more comfortable compiling documents I download from
>>> untrusted sources (e.g., when trying to help someone). However, I find
>>> it annoying when I try to compile my own documents that are older. I
>>> could just be careful to preserve the session file so that it remembers
>>> all of the ones that I have authorized, but I wonder if it would be
>>> interesting to allow signing of .lyx files with PGP keys. That way, if I
>>> open a document that is signed by a key that I have in my keyring, there
>>> is no need to ask for authorization. What are your thoughts on this?
>> This sounds like an excellent idea. How to implement it?
> I didn't think that far ahead :)
>
> A few disorganized ideas:
>
> - We could use a separate file format. Just like how we allow a LyX file
>   to be compressed, we could allow it to be of type "signed". The
>   "signed" file format could just be a compressed directory that
>   contains a .lyx file and a signature file.  But that doesn't seem like
>   the smoothest option, since it would make things like tracking changes
>   in Git less useful.

Could we use the private key to put some kind of signature into the
header, along with an indication of what key is needed to verify it?
This could be an encrypted version of some kind of hash of the file
contents. We could put into the first couple lines after the format. The
hash would be of what followed (the preamble and body).

This sounds like something Enrico would have ideas about.

Riki




More information about the lyx-devel mailing list