Hi, I just rebased the gpg work on top of my working branch and pulled in a couple of patches to do with the pacman-key tool so I thought it would be a good time to get a summary of where we are on this. Here is my take on the current status. I would like to keep this list up-to-date so we can track progress, so feel free to reply adding anything I have missed. pacman-key: - tool to manage pacman keyring - TODO: man page needs tidying/clarification makepkg: - will sign packages and produce detached signature if the "sign" option is enabled in makepkg.conf - split packages, PKGDEST etc all handled - TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html) repo-add: - adds package signature (base64) to repos if available when adding package - has option to sign a repo after creation and verify current signature before making changes - TODO: check signature used to verify is not only good but is also in a list of accepted keys (???) - TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html) pacman: - reads in keys from repo-db and decodes them when needed - reads in .sig files when beside a package being loaded from the filesystem - integrated gpgme into pacman for signature verification - provide options to control signature verification on a per repo basis - verifies signatures of packages when installing from repo - TODO: create directories needed for keyring during "make install" - TODO: verify signatures for packages installed from filesystem (???) - TODO: download and verify signatures of dbs (patches: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html) I think the very last TODO there is the only thing stopping us from getting some actual testing of this work underway. I think I have my head around what the two patches are doing now, but I am not sure I like the "how" of that doing. So I will make an attempt into hacking them as I see fit in the next few days... Then I will publish a signed repo with a pacman-git and we can see how this all goes! Allan