On Mon, 31 Oct 2016 15:19:40 +0100 NicoHood <arch-dev@nicohood.de> wrote:
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays
Not a dev, here, but... I strongly think that source integrity should not rely on hash functions alone. makepkg already includes validation of PGP-signed sources, but it's perhaps not reasonable to expect every upstream to offer signed sources. As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums. Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array? ~Celti