notary v0.1.0

by Bob Rudis

Signing and Verification of R Packages

Signing and verification of R packages.

Readme

Problems

Solutions (current)

GitHub

  • Only install signed releases
  • Verify release signatures

CRAN

  • Reimagining integrity mirror integrity

Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public. Travis-CI Build Status AppVeyor Build Status

notary : Signing and Verification of R Packages

Methods

More for users:

CRAN-ish

  • install_packages: Install and verify packages
  • download_packages: Download and verify packages
  • available_packages: Download and verify package indices

GitHub-ish

  • install_release: Validate that the current GitHub release is GPG signed and install it if so
  • validate_release: Validate that the current GitHub release is GPG signed
  • retrieve_release_signature: Retrieve the GitHub signing information for the latest release of a package
  • get_tags: Retrieve a data frame of GitHub package tag (release) info

source()-ish

  • source_safe_sign: Source a file with verification
  • sys_source_safe_sign: Source a file with verification

More for plumbers:

  • package_index_prepare: Prepare a package index

The Book of R [Security]

https://ropenscilabs.github.io/r-security-practices/index.html

A gif is worth a thousand words

https://rud.is/dl/notary.gif

Usage

library(notary)
library(tidyverse)
validate_release("hrbrmstr/hrbrthemes")
##    Repo/Package: hrbrmstr/hrbrthemes (v0.3.0)
##       Committer: Bob Rudis <bob@rud.is>
## GitHub Verified: TRUE
## GPG Fingerprint: 3773E53B2013A722FA67C6F02A514A4997464560
##    Trusted peer: TRUE
##       Timestamp: 2017-05-10 11:15:21
##       Algorithm: RSA + SHA256

validate_release("ironholds/rgeolocate")
##    Repo/Package: ironholds/rgeolocate (0.8.0)
##       Committer: Oliver Keyes <ironholds@gmail.com>
## GitHub Verified: FALSE
## GPG Fingerprint: 
##    Trusted peer: 
##       Timestamp: 
##       Algorithm:  +

retrieve_release_signature("hrbrmstr/ggalt")
## Latest release is not signed or has not been verified
## NULL

glimpse(get_tags("hrbrmstr/hrbrthemes"))
## Observations: 2
## Variables: 9
## $ user            <chr> "hrbrmstr", "hrbrmstr"
## $ repo            <chr> "hrbrthemes", "hrbrthemes"
## $ tag             <chr> "v0.3.0", "v0.1.0"
## $ committer       <chr> "Bob Rudis", "boB Rudis"
## $ committer_email <chr> "bob@rud.is", "bob@rud.is"
## $ verified        <lgl> TRUE, FALSE
## $ reason          <chr> "-----BEGIN PGP SIGNATURE-----\n\niQIcBAABCAAGBQJZE1i5AAoJECpRSkmXRkVgYzAP/je9bp3imLA9LZPOF...
## $ signature       <chr> "-----BEGIN PGP SIGNATURE-----\n\niQIcBAABCAAGBQJZE1i5AAoJECpRSkmXRkVgYzAP/je9bp3imLA9LZPOF...
## $ payload         <chr> "tree d2959bd73ad3af822e7370553242fbf045438e8d\nparent 52539bf3dc91776c8cb988efdca6565b8b69...

get_tags("tidyverse/dplyr")
## # A tibble: 14 x 9
##         user  repo            tag       committer          committer_email verified reason signature payload
##        <chr> <chr>          <chr>           <chr>                    <chr>    <lgl>  <chr>     <chr>   <chr>
##  1 tidyverse dplyr      v0.6.0-rc          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  2 tidyverse dplyr         v0.5.0          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  3 tidyverse dplyr         v0.4.3 Romain Francois romain@r-enthusiasts.com    FALSE   <NA>      <NA>    <NA>
##  4 tidyverse dplyr         v0.4.2          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  5 tidyverse dplyr         v0.4.1          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  6 tidyverse dplyr         v0.4.0          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  7 tidyverse dplyr       v0.3.0.1  Hadley Wickham      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  8 tidyverse dplyr           v0.3          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
##  9 tidyverse dplyr         v0.2.0          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
## 10 tidyverse dplyr         v0.1.3          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
## 11 tidyverse dplyr         v0.1.2          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
## 12 tidyverse dplyr v0.1.2-cran-rc          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>
## 13 tidyverse dplyr         v0.1.1 Romain François romain@r-enthusiasts.com    FALSE   <NA>      <NA>    <NA>
## 14 tidyverse dplyr           v0.1          hadley      h.wickham@gmail.com    FALSE   <NA>      <NA>    <NA>

Code of Coduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Functions in notary

Name Description
available_packages Download verified package indices
download_packages Download and verify packages
install_release Validate that the current GitHub release is GPG signed and install it if so
kb_file_exists Check to see if a file exists under a users Keybase public folder
retrieve_release_signature Retrieve the GitHub signing information for the latest release of a package
sign_file Sign a file with `sodium` key
notary Tools to Sign and Verify R Packages
package_index_prepare Prepare a package index
get_tags Retrieve a data frame of GitHub package tag (release) info
install_packages Install and validate packages
source_safe_sign Source a file with verification
validate_release Validate that the current GitHub release is GPG signed
No Results!

Details

Type Package
Date 2017-05-25
URL https://github.com/ropenscilabs/notary
BugReports https://github.com/ropenscilabs/notary/issues
License MIT + file LICENSE
RoxygenNote 6.0.1

Include our badge in your README

[![Rdoc](http://www.rdocumentation.org/badges/version/notary)](http://www.rdocumentation.org/packages/notary)