On 19/02/11 19:25, Pierre Schmitz wrote:
On Sat, 19 Feb 2011 17:35:21 +1000, Allan McRae wrote:
I will repeat myself again... Patches for pacman do bugger all for getting signatures into Arch Linux repos. Patches for the Arch Linux devtools/db-scripts packages are needed.
To be honest, I don't think it's worth to work on patches for devtools dbscripts right now. I'd prefer to be pointed at some documents which describe exactly the wrokflow to sign a package with makepkg, upload it, add it to a db, update, replace and delete it.
Once there is a version of pacman which supports signed packages I can start implementing these ideas.
All there is from a pacman point of view is this: 1) makepkg signs the package with the packagers key and creates a detached signature 2) repo-add adds that key to the repo db 3) pacman has a local keyring to verify the package signatures against. An addition is repo-add will verify its current signature and resign the database after adding the package(s). So for a start, we could have the commitpkg just uploading signature files alongside packages. It could also be temporarily responsible for signing the package until makepkg with signing support gets released, or perhaps better that could be done by makechrootpkg...
And last but not least we need to think about key management which is less technical but very important.
I think that is fairly separate to the pacman implementation. Getting some sort of ultimate trust key (or equivalent) into the pacman keyring is the most difficult part. Then a distro can provide a pacman-keyring package signed by that key which will provide the developer keys. The pacman-key tool (a useful wrapper to gpg) is then used to import those keys into the pacman keyring. How the keys are signed in order to for a useful web of trust is up to the distro. Allan