On Mon, Jun 2, 2008 at 6:46 PM, Geoffroy Carrier <geoffroy.carrier@koon.fr> wrote:
Excerpts from Geoffroy Carrier's message of Tue Jun 03 01:25:31 +0200 2008:
Keyring in pacman.conf, --keyring in pacman, support for this option in libalpm and pacman.
Now that I have a keyring, I'd like to start using it :)
Three options here: - Include tons of code from gpg in pacman :) Of course not the good move... - Use gpgme This library will rely on gnupg. Not the good move IMHO. - use popen/fork and exec* That's basically git's behaviour. We might wanna know gnupg's path somehow ;) Do we want to rely on the shell or use another XferCommand-like to get it? I'd rather use the first solution. Anyway, it's pretty easy to check the signature then: Just send the binary key to gpg --keyring $keyringfile --no-default-keyring \ --verify - $pkgfilename and except it to return 0.
We have to think about the default interaction. It would be easy to sign all packages as the first step, so excepting signed packages for the first pacman release including GPG support seems fair to me. I think asking confirmation from the user in case packages are not signed, like apt tools do.
BTW, thanks toofishes for base64's support. Please contact me on XMPP so that we can share stuff between our repos. My "not-so-experimental, at least things compile" branch is available on http://github.com/gcarrier/pacman/commits/pacgpg but I might not update it on a regular basis.
FYI for you (Geoffroy) and everyone- I just pushed my gpg branch to toofishes.net, so it is now available there for fetching. This is a combination of Geoffroy and I's patches to try to get GPG support into our tools (makepkg, repo-add, and eventually libalpm/pacman). Please let me know if you see any issues with this branch. -Dan