Gaetan Bisson wrote:
[2012-09-16 16:03:19 +0000] Xyne:
By "check it" I mean check that each signature in the database is authentic and trusted, and that every package in the database is signed.
Signing the DB serves a completely different purpose to all the signatures on its packages.
I see now that what I proposed would not ensure the integrity of package metadata such as dependencies. What about individually signing the metadata of each package in the database when a package is added? The packaging procedure would then be: 1) build and sign package locally 2) generate and sign "depends", "desc", etc. files locally 3) upload package and signatures to server 4) add package and signatures to (locked) database on server 5) download database 6) check metadata signatures 7) sign database and upload signature Cons: * redundant generation of metadata files * more data in database Pros: * database integrity can be checked without having to rebuild it locally To clarify, with a chain of trust you need a trusted starting point. That means that someone has to verify all of the package signatures and then locally rebuild the database from scratch. If there is ever a doubt that the chain has been broken (due to malice, carelessness in updates, whatever) then that needs to be repeated. Signing per-package metadata should avoid that. The metadata signatures could be kept out of the database if space is an issue, but each packager would need to download them to check the database in that case. If they are kept in the database then signing the database file itself may be unnecessary. Pacman could verify the integrity of the metadata for each package when it downloads the database.