Feb 9, 2024 12:25:02 Wilhelm Schuster <aur@rot13.io>:
Hi,
Hi,
I maintain the AUR package for wget2 [0] (which has `validgpgkeys()` populated) and have recently been contacted by a user that has trouble with GPG signature verification when building the package in a Docker container (using aurutils apparently).
I also use aurutils although I don't use a container, that seems like a waste of time to me as you can easily set aurutils to built in a clean chroot every time. I haven't explored the whole breadth of possibilities with aurutils yet as my migration to it is relatively recent, but from what I've seen, most of it is essentially some scripts/commands that essentially work using devtools and/or make{,chroot}pkg as a backend. It should be possible to go switch off pgp verification in it, or even get it to pull pgp keys from somewhere else. I am unsure how, however.
Their first suggestion was for me to drop the validpgpkeys section to make it easier for them to build the package. This is not something I'm willing to implement as that means downgrading security for other users of the package.
Their second suggestion was for me to add the GPG public keys directly to AUR package. My first thought was that this is also not a good idea,
I personally agree with your point of view on both suggestions. AUR packages that are signed are very rare, but when that happens they should be kept signed, as it proves the source isn't tempered.
Do you think including GPG keys with AUR packages to make it easier for some users is a good idea? Or should they just use `--skippgpcheck`? Are there any glaring issues I'm missing here? Do you know of AUR packages that include the GPG keys for source verification similar to what Arch packages do?
In order: no, ideally not but if they wish to skip it it's their problem, see below, not that I can remember currently. What you're missing is that they're using aurutils, an AUR helper. Such tools are officially unsupported. The only thing that matters for AUR packages is that in a clean chroot running makepkg lets you build the entire thing, even if you have to manually add the pgp keys to the pacman gpg keyring in the chroot before building. In other words, if they encounter an issue with aurutils not building packages due to pgp keys, they should probably bring that issue up with the aurutils developers rather than asking individual AUR maintainers to compromise the security of their PKGBUILDs for their helper to work. -- Kusoneko GPG: https://kusoneko.moe/gpg.txt https://kusoneko.moe