On Mon, Jun 13, 2011 at 12:08 PM, Dan McGee <dpmcgee@gmail.com> wrote:
I also want to make clear as it seems you have taken Denis' word as the gospel here when he mentioned signing package databases. Not a word of what I wrote when starting this thread implied databases, so I apologize for that if it did. Those are no issue at all- they are small enough that we could easily work out a solution similar to what Denis proposed, so we need no remote singing capability at all with those. The only thing I was looking for in this thread was a solution for packages that are too unweildy to schlep back and forth for the sole reason of signing; things like game data, Sage Mathematics packages, OpenOffice, etc. if they were built on a remote machine.
I really messed up the subject of my previous email. Whenever we discussed about remote signing, it was in the context of database signing, so I've took that for granted. I was even intrigued by the fact that you were writing about that in pacman-dev, instead in arch-general, so I really messed up big time. Sorry for that. I'm a little afraid to suggest this, but here we go. Maybe a simpler approach would be to sign only hashes. That way, pacman would always calculate the hash (it already does that for file corruption verification) and see if the signature validates the calculated hash. Makepkg could be updated to calculate a hash and sign it. Pro: unified handling of files and signatures. Con 1: a more convoluted solution, needing some considerable reimplementations and testing. Con 2: it would make harder using gpg directly, as one need to calculate the hash with the correct algorithm before verifing the signature. But this would happen if your original 3) or 4) option is used. But, in the end, it would make easier signing big packages that are built remotely... I'm not very comfortable with my suggestion but I'm doing anyway for the sake of discussion. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------