[Rd] Support for signing R packages with GPG

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Tue Nov 1 12:45:25 CET 2016

On Tue, Oct 25, 2016 at 7:22 PM, Martyn Plummer <plummerm at iarc.fr> wrote:
> Thanks Jeroen. The R Foundation has recently formed a working group to
> look into package authentication. There are basically two models. One
> is the GPG based model you describe; the other is to use X.509 as
> implemented in the PKI package. It's not yet clear which way to go but
> we are thinking about it.

I look forward to hearing what the working group comes up with. I
suppose if you go with x509, CRAN is going to perform CA duties?

Let me know if I can help with implementation, either via gpg or x509.
I am actively developing the openssl package which includes many more
x509 utilities, supporting all common key types (dsa, rsa, ec),
certificate bundles, ssl, etc. The main difference with PKI is that
openssl uses the native pem/der parsers from libssl which are more
robust and also recognize the less common formats, so that we don't
have to deal with parsing/decoding ASN.1 in R.

I will be happy to adapt/extend it further to fit the needs of the
workgroup and help this move forward.

More information about the R-devel mailing list