On Thu, Mar 22, 2012 at 2:05 PM, Dennis 'Gyroplast' Herbrich <dennis@archlinux.org> wrote:
Greetings everyone!
I am constructing a local, common repository of packages aggregated from core, extra and community, named 'default' for discussion's sake. This local repository shall be a "frozen" state of a (virtual) machine's package installation, to ensure a common package status across all machines which are using this local repository to upgrade. The idea behind this is to setup an internally tested "baseline" or "stable release" repository for certain clients.
Basically, I want to shove 'pacman -Q' output into my magic bash script on my personal testing machine where all necessary updates are installed, and have a shiny repository ready for use fall out at the end. This is working nicely already, except for one thing that bothers me greatly:
I haven't found a way to reliably download the official package signature files along with the packages themselves through creative use of pacman. I do not REALLY want to fetch the .sig files in another step from the mirror I am using, as that'd require me to construct package FILE names myself instead of just throwing pacman a "core/filesystem=2012.2-2" and let pacman figure out my architecture and download location. I DO want to have package signing available for my local copy, though.
Is there a way to grab the .sig files along with the package files with pacman, and place them somewhere neat as the CacheDir, for instance?
That's an interesting situation. If I understood you correctly, you have something like: repository box: Downloads some updates that you'll test and approve. After that, you'll publush a new version of your repository database. other boxes: Updates from your private repository. Do they update only from your repository or can they eventually get updates from Arch? I presume they update only from your repository. What you maybe don't know is that pacman don't use those .sig files to really check the packages. The signatures come with each repository database, in the metadata for each signed package. So, you shouldn't really have to download them again, you already got them with Arch's database repositories, in your repository box. I would do the following: 1. Create a gpg key on the repository box 2. Sign the database you create with repo-add (you can choose the key to use) 3. On the other boxes, use pacman-key to import and trust your repository public key 4. Update your other boxes 5. Be happy :) For future updates of your repository, you'll have to re-sign it. What you really get is a two level trust system. Your repository box trusts Arch's keys and your other boxes trust your repository key. Hope that helps. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? For more information, please read: http://idallen.com/topposting.html ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------