[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures
allan at archlinux.org
Wed Mar 16 21:31:48 EDT 2011
On 17/03/11 11:14, Dan McGee wrote:
> On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan at archlinux.org> wrote:
>> On 13/03/11 13:24, Allan McRae wrote:
>>> I'd like comments on where the signature should be generated. I was
>>> thinking at the end of makechrootpkg, but before upload could also
>>> Note that the future makepkg implementation for automatic signing
>>> is probably not appropriate for use as that would require gpg and a
>>> keyring in the chroot.
> Is this a bad thing? Does it drag in a lot of deps?
Not a lot of deps given pacman will pull them in eventually for gpg
support. It is more having to set-up your keyring in every chroot that
I was concerned about.
>> More thinking about this... the package signing probably can not be too
>> linked to building (i.e. not in makechrootpkg) as that might be on an
>> external build server (which should not have private keys on it). So I
>> guess that it should be done at the time of upload.
> "probably can not be too linked" - someone is hedging their words. :)
> I agree that it shouldn't have to be linked, but making it easy to
> generate as part of the build process is something that we shouldn't
> forget. However, in the case of building it elsewhere, is it that bad,
> iff they are using a key protected by a passphrase?
I am hedging ever so slightly... I would not be putting my gpg key on
a server where other people have access, even with a strong passphrase.
> When someone builds remotely, and you say "done at time of upload", do
> you really copy it back locally before uploading it? Or how is pushing
> off the time of signing going to help here?
Well, copying the package locally needs to be done to test the package
Anyway, at this stage, I think we just need to get something that
"works" happening. The entire process can be adjusted or added to later
as real world usage dictates.
More information about the arch-dev-public