Hi, I have been thinking about the DB signing feature recently, and I have dug up old emails regarding this topic. If I understand correctly: - we would like database signing to prevent an attacker from messing with the information contained in the database, being at rest on a mirror or in flight. Packages being signed protects us from most issues, but it is still possible for example to prevent a specific package from being upgraded by altering its entry in the database ; - requiring TU and devs to sign the database when publishing a package is not easy and ; - we don't want to have a package-signing key online if we can prevent it, so ideally the key used to sign the database should not be able to sign packages ; - in addition to that, it would be nice if package-signing keys would not be able to sign the database. I believe a simple solution would be to use a separate WoT for database signing, distinct from the one use for package-signing. This would require the generation of new, separate master keys for verifying db-signing only keys. The master keys would be kept offline while a db-signing key would be kept online on an official Arch server and used by repo-add to sign the database upon modifications. As I am not a TU nor a developer, I am not familiar with the exact process used to publish packages. I have discussed this a bit with Levente, but this is clearly the fuzziest part for me, so please let me know if this is non-sense. This may require the use of a set-uid or set-gid binary so that different users are allowed to use repo-add without giving them access to the db-signing key. Setting up database-signing this way, a compromised mirror couldn't alter the database or the packages without being detected. If the db-signing key were to be compromised, this would not be enough to be able to alter the content of packages, and the key could be revoked and replaced quite easily, so we would not be in a worse position than without db signing. Most of the code required for this to work is already in pacman. We would still need to patch pacman to be able to use a separate gnupg directory for the database WoT, distinct from the packages WoT. I have attached a PoC patch to illustrate this idea, but it clearly needs more work. Any thoughts?