On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote:
I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature is discarded and a new one is made, with an official Arch key.
If you do it that way you wouldn't have to sign the uploaded packages. I'd publish a list of developers' keys and the user has to add and trust (in GPG terms) those keys. If he trusts them pacman installs packages singed by those keys or keys that can be trusted because they have been signed by them (GPG's web of trust). Otherwise if the (untrusted) sig can be verified pacman could ask and if the sig is broken it could abort. If you do it that way you can also add URLs to binary packages to the AUR and let pacman download them if you trust the sig. C&C welcome. -- Florian Pritz -- {flo,bluewind}@server-speed.net