[pacman-dev] makepkg: gpg signature verification?
I'd like to add $gpgsource (urls to gpg signatures of the sources) to PKGBUILDs and when building check the signatures, but I'm not sure what to do when the check fails. If the user doesn't have the key in his keyring or doesn't trust it my idea would be to display an error message and exit, but that doesn't seem practical although I think it's the right way. I also have no idea how to handle chroots. I really can't expect users to copy their keyring into the chroot, but I could add an option to makepkg.conf so you can disable the checking and wrapper scripts could then do that before chrooting (using a new --verify option maybe). C&C please. -- Florian Pritz -- {flo,bluewind}@server-speed.net
On 23/11/10 01:33, Florian Pritz wrote:
I'd like to add $gpgsource (urls to gpg signatures of the sources) to PKGBUILDs and when building check the signatures, but I'm not sure what to do when the check fails. If the user doesn't have the key in his keyring or doesn't trust it my idea would be to display an error message and exit, but that doesn't seem practical although I think it's the right way.
I also have no idea how to handle chroots. I really can't expect users to copy their keyring into the chroot, but I could add an option to makepkg.conf so you can disable the checking and wrapper scripts could then do that before chrooting (using a new --verify option maybe).
The total discussion on this topic so far is in: https://bugs.archlinux.org/task/20448 As you can see, we barely got past the idea of checking the signatures... I would abort if the check fails completely, but just issue a warning if the failure is only due to no trust in the key being used to sign (i.e. signature is correct). I would not consider chroots yet. The same issue will occur with package signing where people will not have their keys to sign packages when building in chroots. These are the sort of things chroot building wrapper scripts have to figure out. Allan
participants (2)
-
Allan McRae
-
Florian Pritz