[arch-general] Is it secure to just sign repository databases?
16 Jun
2019
16 Jun
'19
9:03 a.m.
Hello, I run a repository locally that I would like to share to the public. The build is mostly automated. That's why I don't want to sign each individual package. The private key is not stored on the build machine and I want to sign the resulting stuff externally. The easiest way would be actually to just manually sign the database file. As this file includes all checksums of the individual packages, I think this is as secure as signing every package, right? Thanks in advance Manuel
1768
Age (days ago)
1769
Last active (days ago)
7 comments
4 participants
participants (4)
-
brent s.
-
Eli Schwartz
-
Levente Polyak
-
Manuel Reimer