On Tue, Feb 15, 2011 at 7:18 AM, Michael Seiwald <michael@mseiwald.at> wrote:
On 02/08/2011 11:02 PM, Dan McGee wrote:
(4) Signing keys Currently when adding a signed package to the repository with repo-add, the signature of the package itself (generated with the package maintainers’ key) is included into the sync db (as %PGPSIG% field in the desc file of the package). Afterwards, the updated sync db is also signed. Firstly, we are not sure how this should be handled in practice. Will the sync db be signed with a central repository key? Or with one of the developers’ keys? Either way, the package signature in the sync db (%PGPSIG%) adds no additional security value, because when pacman verifies both the package signature and the signature of the sync db, it uses one single keyring (/etc/pacman.d/gnupg/pupring.gpg) for all the signatures. But not one key, and how does one verify a package they got that was not in a sync DB? Or in a sync DB managed by someone they may trust less, but packaged by someone they may trust more?
A package not in a sync DB cannot be verified - regardless of keeping the package signature in the sync db. If the sync DB is signed, the hash of the package file is sufficient to verify its integrity. The only way allowing for the verification of packages which are not part of the sync DB I can think of would be to somehow make the packages contain the signatures (like RPM packages).
I am not following this point whatsoever. RPM package containing signature == zip of signature + package contents in another zip. There is no added security benefit of this that I can possibly see over package + detached signature- the only thing they are doing is tying it up with some ugly rope and shipping it to you as one file. And the hash of the package file is not at all enough to verify integrity! For one, md5 is not secure, and we've never pretended this is supposed to be anything more than a quick download check. Second, you have continued to run around the issue I stated where not all packages are in a sync repository- drop your "If" clause and your whole point falls down. Your other point, "A package not in a sync DB cannot be verified", is also unclear- can you please elaborate? -Dan