On Wed, Apr 28, 2010 at 10:39 AM, Allan McRae <allan@archlinux.org> wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package signing.
Good to see someone interested in this. I suggest you join the pacman-dev list where all discussion about pacman development occurs.
There is also some code floating around that has started to implement this. This is my gpg branch containing those patches - http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg .
Hi, Allan and Aleksis. I was thinking about this problem for sometime and the more complex part is the key distribution and trusting. Now I maybe came to something usefull. I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature is discarded and a new one is made, with an official Arch key. So the problem of distributing keys is solved. We just need to distribute and trust the official public key of Arch. If some new developer comes to the team, its digital fingerprint is added to the list of trusted devs. If someone is removed, its fingerprint is removed. The users will trust in anything the server has signed, because the physical access to the private key is kept safe (so we hope :)). If some developer loses the confidence in his key, he can generate another and send the fingerprint to the admin, so it can be added toe the trusted list. I am willing to help with any efforts in this area. I'm already subscribed in pacman-dev and if this discussion pops up there, count me on. [1] - there should be a list of fingerprints of trusted devs, only writeable by a few admins. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------