[2012-09-16 23:33:39 +0000] Xyne:
I see now that what I proposed would not ensure the integrity of package metadata such as dependencies.
As the metadata is found within packages (.pkg.tar.xz), package signatures (.pkg.tar.xz.sig) ensure their integrity and, more importantly, authenticity. The point of signing the DB is to prevent an attacker from distributing an outdated Arch package (properly signed by one of our packagers) which has a known vulnerability. For this, all we really need to sign is a list of unique identifiers for the most recent version of all packages in each repos. These identifiers could be the hash of each package, tuples ($pkgname,$pkgver,$pkgrel), etc. But of course it is more elegant to simply sign the DB. What matters is that an attacker cannot withhold one package without withholding all packages (by withholding the DB and its sig). So, when an official packager updates the DB, to prevent an attacker with access to our servers to sneak in an old version of some package, they really need to check that the DB was properly signed by another official packager before making changes and signing it themselves. That is the cryptographically secure way. The other way which has been proposed is based on the assumption that some "hardened" server cannot be breached; then we push our changes to this server and rely on it for automatically signing the DB. -- Gaetan