On 03/11/13 11:19, Allan McRae wrote:
Add function to sign repo database. Enabling signing requires setting SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted from signing package files.
Signed-off-by: Allan McRae <allan@archlinux.org> ---
GPG does not have a concept of some keys being valid for some tasks. So pacman can not have this concept without implementing a complete hack or requiring two separate keyrings (one for databases and one for packages). Both of these are not going to happen, so we need to deal with restricting key usage in dbscripts. The idea here is that someone creates a repo signing key and all master keys sign it. Then a subkey is created and put on nymeria. If we have issues, the subkey is revoked and a new subkey is created. Note that the patch assumes the db key will be added to nymeria's pacman keyring which is located in the default location. Allan