On Mon, 26 Jul 2010 17:26:00 -0300 Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
So, I changed the code to use gpgme. Here are the patches for your evaluation.
By the way, I'm not {angry,upset,crying} :) I really want to see package signing in pacman, but I know that this is a complex issue that will need lots of discussion.
Below, follows a little explanation of the general idea of each patch.
[PATCH 1/5] pacman-key: keyring management tool
The script that helps with management for pacman keyring. It uses gpg, instead of gpg2 and is heavly inpired on apt-key, from debian. It is very straightforward.
[PATCH 2/5] Signature verification functions
Two functions: one for signatures in memory and another for signatures in files. Signatures of packages are stored in the repository and are copied to memory before verification. The signatures of database files are stored on files, hence the new function.
[PATCH 3/5] Verify the signatures of databases and packages
The calls for the signature functions. Verification of database updates and package instalations from the repositories.
I didn't worry about local instalations, but it doesn't mean they are not there. If it were verified before (as Dan suggests), they are there. :)
A point raised by Dan was that the reading of the signature from the repository was too complex. The reaasoning behind it is that signatures grow according to the size of the key used to sign. So, we can't be never sure if some buffer size is really enough. Maybe it is enough now, but in the future it may be not and we'll have a new bug in the bugtracker. My implementation is simple and robust, so it will work with any signature size.
[PATCH 4/5] Parameter to select key to sign
Just a new parameter to allow the packager to select the key he wants to use. if the key is not specified, his default key will be used.
[PATCH 5/5] Document new options related to package signing
Just documentation. No imporant comment.
As always, comments and suggestions are welcome.
-- Denis A. Altoé Falqueto
This is really encouraging Denis, could you possibly update your Wiki article with a status report? http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman Or maybe someone could summarise what the situation is now so us impatient folk can surmise how close we are to seeing gpg signing in Pacman. Denis have you also considering the hash function that is used when signing? It seems that sha256 is considered the best to use at the moment. That is until sha-3 is finalised in 2012. thanks, Ananda