On Wed, Apr 28, 2010 at 13:18, Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> wrote:
I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature is discarded and a new one is made, with an official Arch key.
This is pretty sensible, but I think that the second step would preclude having a passphrase on the key, as it would have to be called from a script. Another way to do it might be to have the upload verified by sender key and then have the uploader sign the repo db (during the db-update step probably?). We'd have to have a keyring, but with this method even if the server is compromised the db is safe from tampering, since the keyring is signed by the highest-trust key (phrak, presumably), and that lists the keys which are allowed to sign the repo itself, so there's no way to insert untrusted keys into the keyring or repo. Perhaps the keyring package could require double-signing to also prevent an attack where phrak gets hacked again and loses his key :)