On Wed, May 5, 2010 at 2:49 PM, Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> wrote:
On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi@ymail.com> wrote:
I would prefer having the signature along the package. Maybe as a tar extended header. This way you can't lose the detached signature (it also means that you need to download twice as much files).
Hey, that would be cool! We wouldn't need to change the name structure of the package and would not lose the signature.
In fact, that is not possible. Because the signature is made over a stream of bytes, independent of the real content. So, the signing for a .tar.gz is absolutely identical to a signing to a text file or whatever else. If you sign the .tar file and after that sign and insert the signature inside the .tar, you'll invalidate the signature, because the original stream of bytes is not the same anymore. What we could do in the future is to have a signed package format, with an internal .tar.xz file (the real package) and the signature tarred together. But I think this is the least of our worries.
Could the trust database be updated via pacman using post_install on some pacman-keychain package?
Allan I don't see how is the pacman-keychain database going to be updated, since we should also allow the user to make manual changes so simply replacing the file wouldn't work.
There'll be a script for that, so users and the post-install script will be able to handle it without getting into the details of keyring manipulation. It will be something like:
# pacman-key --import <keyfile> # pacman-key --trust <keyid>
post-install would call pacman-key --updatedb and the script would delete the old keys and append the new ones, as I wrote in the reply to Allan. This must be called as root, but pacman is always called as root also, so it is not a problem.
In the last case, the user will have to explicitly inform the trust level of the key. We even could automate this, but I don't think is a good idea. The user must have responsibility for his system (Arch Way rules). I'll try to commit it to gitorious as soon as I get home, so you can have a look and the discussion is brought to a more practical level too.
I've not yet committed the script, but I'm sending it here (the pastebin will expire in 1 month), so we all can play with it and send suggestions. It is very similar to apt-key, but has some enhancements. One of them is the command to trust in a key. The fingerprint of the key will be shown to the user and the key will be edited in gpg (with the --edit-key command). The user will then confirm if the fingerprint is correct and type 'trust'. gpg will ask him what is the level of trust and the change will be saved on the trust db of pacman. http://pastebin.com/YxGM1Sxq -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------