Hello,
I just wrote a small proof of concept for remote PGP signing.
It is written in Go (using the weekly snapshot, not the
r60 release), and is hosted at:
https://github.com/remyoudompheng/remotepgp
Usage is quite simple:
- compile everything
- run the server on the appropriate machine, for example
./server -addr localhost:10022
(by default it binds on localhost)
- choose a remote file name
- run the client:
./client -server http://localhost:10022/hash /home/remy/packages/blah
It does the following:
- looks for the secret keyring in $HOME/.gnupg/secring.gpg
- chooses the first secret key and asks for the passphrase if needed
- sends a little chunk of bytes to the server
- the server hashes the concatenation of the file and the little chunk
and returns the hash
- the client finishes the signature process and writes blah.sig in the
current directory.
You should then be able to copy the remote file and check the signature
is valid.
For paranoid remote usage, it is possible to setup a SSH tunnel to
connect to the server.
Any comments are welcome.
--
Rémy.
(I'm not really good at license terms and associated legalese,
please tell me if copyright notices get wrong)
=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/
There are currently:
* 2 new packages in last 24 hours
* 1 known bad package
* 0 packages not accepting signoffs
* 15 fully signed off packages
* 8 packages missing signoffs
* 5 packages older than 14 days
(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)
== New packages in [testing] in last 24 hours (2 total) ==
* inetutils-1.9-1 (i686)
* inetutils-1.9-1 (x86_64)
== Incomplete signoffs for [core] (5 total) ==
* ed-1.6-1 (i686)
0/2 signoffs
* glibc-2.15-3 (i686)
3/4 signoffs
* inetutils-1.9-1 (i686)
0/2 signoffs
* ed-1.6-1 (x86_64)
0/2 signoffs
* inetutils-1.9-1 (x86_64)
0/2 signoffs
== Incomplete signoffs for [extra] (3 total) ==
* pulseaudio-1.1-2 (i686)
0/2 signoffs
* valgrind-3.7.0-2 (i686)
1/2 signoffs
* pulseaudio-1.1-2 (x86_64)
1/2 signoffs
== Completed signoffs (15 total) ==
* binutils-2.22-4 (i686)
* file-5.10-1 (i686)
* gcc-4.6.2-5 (i686)
* linux-api-headers-3.1.6-1 (i686)
* pacman-4.0.1-1 (i686)
* binutils-2.22-4 (x86_64)
* file-5.10-1 (x86_64)
* gcc-4.6.2-5 (x86_64)
* glibc-2.15-3 (x86_64)
* linux-api-headers-3.1.6-1 (x86_64)
* pacman-4.0.1-1 (x86_64)
* namcap-3.2.1-1 (any)
* pyalpm-0.5.3-1 (i686)
* pyalpm-0.5.3-1 (x86_64)
* valgrind-3.7.0-2 (x86_64)
== All packages in [testing] for more than 14 days (5 total) ==
* pyalpm-0.5.3-1 (i686), since 2011-10-15
* pyalpm-0.5.3-1 (x86_64), since 2011-10-15
* namcap-3.2.1-1 (any), since 2011-10-20
* pacman-4.0.1-1 (i686), since 2011-11-21
* pacman-4.0.1-1 (x86_64), since 2011-11-21
== Top five in signoffs in last 24 hours ==
1. dreisner - 2 signoffs
Hi guys,
The next udev release will change its kernel requirements. This will
not affect people running our standard kernel, but self-compiled
kernels might be, and the -lts kernel is affected.
The major changes are:
* 2.6.34 is the minimum kernel requirement (our current -lts is .32).
* devtmpfs support must be switched on; /dev can no longer be on a
tmpfs (this should only affect self-compiled kernels).
For more details see
<http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob_plain;f=README>.
I think it does not make any sense for people to hold back udev and
upgrade other packages, so once this is out I'll remove support for
non-devtmpfs kernels in initscripts too. It might possibly make sense
to re-evaluate our minimum kernel version supported in glibc, but I'll
leave that to more knowledgeable people.
Closer to the release I'll make a news item about this so everyone is aware.
Cheers,
Tom
There are reports that the registration question for the forum and wiki
is not working. I seem to remember a similar issue last year. Can
someone take a look at this?
Allan
=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/
There are currently:
* 4 new packages in last 24 hours
* 1 known bad package
* 0 packages not accepting signoffs
* 13 fully signed off packages
* 8 packages missing signoffs
* 5 packages older than 14 days
(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)
== New packages in [testing] in last 24 hours (4 total) ==
* ed-1.6-1 (i686)
* file-5.10-1 (i686)
* ed-1.6-1 (x86_64)
* file-5.10-1 (x86_64)
== Incomplete signoffs for [core] (5 total) ==
* ed-1.6-1 (i686)
0/2 signoffs
* file-5.10-1 (i686)
1/2 signoffs
* glibc-2.15-3 (i686)
3/4 signoffs
* ed-1.6-1 (x86_64)
0/2 signoffs
* file-5.10-1 (x86_64)
1/2 signoffs
== Incomplete signoffs for [extra] (3 total) ==
* pulseaudio-1.1-2 (i686)
0/2 signoffs
* valgrind-3.7.0-2 (i686)
1/2 signoffs
* pulseaudio-1.1-2 (x86_64)
1/2 signoffs
== Completed signoffs (13 total) ==
* binutils-2.22-4 (i686)
* gcc-4.6.2-5 (i686)
* linux-api-headers-3.1.6-1 (i686)
* pacman-4.0.1-1 (i686)
* binutils-2.22-4 (x86_64)
* gcc-4.6.2-5 (x86_64)
* glibc-2.15-3 (x86_64)
* linux-api-headers-3.1.6-1 (x86_64)
* pacman-4.0.1-1 (x86_64)
* namcap-3.2.1-1 (any)
* pyalpm-0.5.3-1 (i686)
* pyalpm-0.5.3-1 (x86_64)
* valgrind-3.7.0-2 (x86_64)
== All packages in [testing] for more than 14 days (5 total) ==
* pyalpm-0.5.3-1 (i686), since 2011-10-15
* pyalpm-0.5.3-1 (x86_64), since 2011-10-15
* namcap-3.2.1-1 (any), since 2011-10-20
* pacman-4.0.1-1 (i686), since 2011-11-21
* pacman-4.0.1-1 (x86_64), since 2011-11-21
== Top five in signoffs in last 24 hours ==
1. bluewind - 3 signoffs
2. allan - 2 signoffs
=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/
There are currently:
* 1 new package in last 24 hours
* 1 known bad package
* 0 packages not accepting signoffs
* 15 fully signed off packages
* 4 packages missing signoffs
* 5 packages older than 14 days
(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)
== New packages in [testing] in last 24 hours (1 total) ==
* initscripts-2012.01.1-1 (any)
== Incomplete signoffs for [core] (1 total) ==
* glibc-2.15-3 (i686)
3/4 signoffs
== Incomplete signoffs for [extra] (3 total) ==
* pulseaudio-1.1-2 (i686)
0/2 signoffs
* valgrind-3.7.0-2 (i686)
1/2 signoffs
* pulseaudio-1.1-2 (x86_64)
1/2 signoffs
== Completed signoffs (15 total) ==
* binutils-2.22-4 (i686)
* gcc-4.6.2-5 (i686)
* linux-api-headers-3.1.6-1 (i686)
* pacman-4.0.1-1 (i686)
* perl-5.14.2-5 (i686)
* binutils-2.22-4 (x86_64)
* gcc-4.6.2-5 (x86_64)
* glibc-2.15-3 (x86_64)
* linux-api-headers-3.1.6-1 (x86_64)
* pacman-4.0.1-1 (x86_64)
* perl-5.14.2-5 (x86_64)
* namcap-3.2.1-1 (any)
* pyalpm-0.5.3-1 (i686)
* pyalpm-0.5.3-1 (x86_64)
* valgrind-3.7.0-2 (x86_64)
== All packages in [testing] for more than 14 days (5 total) ==
* pyalpm-0.5.3-1 (i686), since 2011-10-15
* pyalpm-0.5.3-1 (x86_64), since 2011-10-15
* namcap-3.2.1-1 (any), since 2011-10-20
* pacman-4.0.1-1 (i686), since 2011-11-21
* pacman-4.0.1-1 (x86_64), since 2011-11-21
== Top five in signoffs in last 24 hours ==
1. tomegun - 6 signoffs
2. stephane - 4 signoffs
3. bpiotrowski - 2 signoffs
Hi all,
I'll be away and unreachable from January 5 to January 15.
There's no current issue that I know of with any of my packages but if
something comes up feel free to step in.
Happy 2012!
--
Gaetan