- detached signature external to the package: the package will stay unchanged and there'll be a new file for the signature. - detached signature internal to the package: makepkg would generate a detached signature, but would tar the package and the signature into a new file, so that both are always toghether (Debian and RPM based distros do that way). This would have a bigger impact on all developer tools and pacman itself. - attached signature: the signature would contain the signed file, and pgp would be used to extract the signed file. Just like the one above, this would require lots of changes on the tools.
We have to choose so we can also effectively support unsigned packages. I think there is no reason to sign packages built localy using PKGBUILD froum AUR or elsewhere - the weak point is the build script itself and it is possible that some users will choose not to verify packages upon installation. So I think only first two options are viable.
I believe that this suggestions are feasible and will bring a new level of quality to Arch Linux. The gpg branch of pacman git repository of Allan is in a good position in relation of what I suggested above. One possible problem is that gpgme is not able to update a trusdb (or at least i couldn't fine how). Maybe we'll have to use some script for that. -----
Comments and criticism are very appreciated.
Nice resarch! Generally, this version is ok and I think it solves the package signing - verification functionality but we should cearfuly study this further. Also we cluld try to find a solution for problem when it is possible to install old version of signed packages from the repo. I have created git repository from Alan's gpg branch: http://gitorious.org/pacman-pkgsig -- Alekss