On Sun, Aug 20, 2023 at 03:31:41PM +1000, Allan McRae wrote:
The answer is a solid maybe... Even leaning towards yes here! Questions to answer first:
1) would we allow mixed signature verification. e.g. some repos use GPG and others use openssh? Or some repos using both?
I think pacman should have the capability to check repos using both ; I don't see how else we could support a distribution migrating from one signature scheme to another (re-signing all packages at once seems unpractical). I think the decision of which scheme to allow should be left to configuration, either as a global setting in pacman.conf or as a per repo one.
2) What do we need to add to package entries in repos so that pacman knows the signature file to download.
I would not differentiate signature files depending on the scheme used, and just reuse the same structure (a .sig file). I see two possible ways if we do that: - detect the scheme used then verify signature (probably better error messages) - try to verify the signature with all allowed scheme (simpler)
Our current assumptions are very GPG based...
Do you mean just the filename of the signature or also other things ?
3) What will be our criteria for including additional signature verification methods? openssh seems a good option for me, but we have had people request one of the other new signing variants.
I would say the criteria should be that a new method bring something more or better compared to those already existing in pacman. That's a bit vague though ; it would probably be on a case-by-case basis. You're talking of minisign and signify, I suppose ? -- Max Gautier