On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
To check the validity of the repo.db signature, we can do:
1. pacman downloads the repo.db and the signature 2. gpg extracts the original hash from the signature 3. sha1sum recomputes the hash on the downloaded repo.db 4. the recomputed hash and the signed hash are compared
If the comparison is ok, the repo.db is intact. Otherwise, panic!!
Why can't you just sign the package, and let the rest of the process be the way it is? I don't understand why you have to sign the DB too. If the package signature is correct you can safely install it without worrying whether the DB is the latest or not. If a developer gets compromised you abandon his old key (post on the ML, news item, ... and tell users to update pacman-keyring maybe you could also use a keyserver here where you just publish a revocation certificate), resign all clean packages and rebuild the rest. Or am I missing something? -- Florian Pritz -- {flo,bluewind}@server-speed.net