Hello,
AUR uses SSH keys for authentication, and since a few months Git can
sign commits with SSH keys. Would there be interest in combining this
to somehow mark packages as verified if HEAD has a valid signature from
an SSH key registered in the profile of any maintainer of that package?
I don't think it'd add much in terms of security per se, but I think
it'd help to encourage and spread commit signing on the AUR. That's a
good thing per se, imho, but I think it'd also simplify trust
management a lot, especially when automatically building many AUR
packages.
Currently you always need an extra RPC call to the AUR to obtain
reliable maintainer information for every package, because the git
clone itself doesn't carry any trust information at all.
With signing however you could just scrape SSH keys from maintainers
you trust every once in a while, and assemble those into an
ALLOWED_SIGNERS files for "git verify-commit". Asserting that a
package HEAD is trusted would then come down to a simple "git verify-
commit".
For this to work AUR would need to publicly expose SSH keys in user
profile packages, which definitely requires some care wrt to privacy.
Another challenge would be to make a UI which clearly indicates that
"verified" only means the HEAD was signed by a maintainer, not that the
Arch team or a TU has actually verified the PKGBUILD, let alone the
package contents.
But if there's interest in the feature, I'd be happy to start working
on a patch to aurweb to contribute this feature.
Kind regards,
Basti