You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/10/14 02:41:00 UTC

[jira] [Commented] (NIFI-7322) Add SignContentPGP and VerifyContentPGP Processors

    [ https://issues.apache.org/jira/browse/NIFI-7322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428571#comment-17428571 ] 

David Handermann commented on NIFI-7322:
----------------------------------------

GitHub PR 5457 includes new SignContentPGP and VerifyContentPGP Processors implementing most of the capabilities described.

In addition to the notes on the PR, it is also worth mentioning the Daniel Kahn Gillmor summarized implementation and security issues with clearsigning:

[https://dkg.fifthhorseman.net/blog/inline-pgp-considered-harmful.html]

The Bouncy Castle OpenPGP library includes support for a variety of features, so additional capabilities can be evaluated in subsequent issues as necessary.

> Add SignContentPGP and VerifyContentPGP Processors
> --------------------------------------------------
>
>                 Key: NIFI-7322
>                 URL: https://issues.apache.org/jira/browse/NIFI-7322
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions, Security
>            Reporter: David Margolis
>            Assignee: David Handermann
>            Priority: Major
>              Labels: encryption, pgp, signing
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Users have requested the capability to [sign|https://www.gnupg.org/gph/en/manual/r606.html] content directly with pgp in addition to storing the signature in an attribute (SignContentAttributePGP). There should be options to [clearsign|https://www.gnupg.org/gph/en/manual/r684.html] and [armor|https://www.gnupg.org/gph/en/manual/r1290.html] the content. There should be an option to produce the [detached|https://www.gnupg.org/gph/en/manual/r622.html] signature as it's own flowfile.
> Pairing with this processor, users have requested the capability to [verify|https://www.gnupg.org/gph/en/manual/r697.html] signed content with pgp in addition to verifying the signature in an attribute (VerifyContentAttributePGP). There should be options to verify clearsigned and armored content also.
> Finally, the DecryptContentPGP processor should be able to [decrypt|https://www.gnupg.org/gph/en/manual/r669.html] the signed content, so that just the unsigned content remains.
> These processors should use the PGPKeyMaterialService.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)