[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures

Allan McRae allan at archlinux.org
Wed Mar 16 21:31:48 EDT 2011


On 17/03/11 11:14, Dan McGee wrote:
> On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan at archlinux.org>  wrote:
>> On 13/03/11 13:24, Allan McRae wrote:
>>>
>>> I'd like comments on where the signature should be generated.  I was
>>> thinking at the end of makechrootpkg, but before upload could also
>>> work.
>
>>>   Note that the future makepkg implementation for automatic signing
>>> is probably not appropriate for use as that would require gpg and a
>>> keyring in the chroot.
> Is this a bad thing? Does it drag in a lot of deps?

Not a lot of deps given pacman will pull them in eventually for gpg 
support.  It is more having to set-up your keyring in every chroot that 
I was concerned about.

>> More thinking about this...   the package signing probably can not be too
>> linked to building (i.e. not in makechrootpkg) as that might be on an
>> external build server (which should not have private keys on it).  So I
>> guess that it should be done at the time of upload.
>
> "probably can not be too linked" - someone is hedging their words. :)
>
> I agree that it shouldn't have to be linked, but making it easy to
> generate as part of the build process is something that we shouldn't
> forget. However, in the case of building it elsewhere, is it that bad,
> iff they are using a key protected by a passphrase?

I am hedging ever so slightly...   I would not be putting my gpg key on 
a server where other people have access, even with a strong passphrase.

> When someone builds remotely, and you say "done at time of upload", do
> you really copy it back locally before uploading it? Or how is pushing
> off the time of signing going to help here?

Well, copying the package locally needs to be done to test the package 
anyway...

Anyway, at this stage, I think we just need to get something that 
"works" happening.  The entire process can be adjusted or added to later 
as real world usage dictates.

Allan


More information about the arch-dev-public mailing list