[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures

Allan McRae allan at archlinux.org
Wed Mar 16 21:31:48 EDT 2011

On 17/03/11 11:14, Dan McGee wrote:
> On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan at archlinux.org>  wrote:
>> On 13/03/11 13:24, Allan McRae wrote:
>>> I'd like comments on where the signature should be generated.  I was
>>> thinking at the end of makechrootpkg, but before upload could also
>>> work.
>>>   Note that the future makepkg implementation for automatic signing
>>> is probably not appropriate for use as that would require gpg and a
>>> keyring in the chroot.
> Is this a bad thing? Does it drag in a lot of deps?

Not a lot of deps given pacman will pull them in eventually for gpg 
support.  It is more having to set-up your keyring in every chroot that 
I was concerned about.

>> More thinking about this...   the package signing probably can not be too
>> linked to building (i.e. not in makechrootpkg) as that might be on an
>> external build server (which should not have private keys on it).  So I
>> guess that it should be done at the time of upload.
> "probably can not be too linked" - someone is hedging their words. :)
> I agree that it shouldn't have to be linked, but making it easy to
> generate as part of the build process is something that we shouldn't
> forget. However, in the case of building it elsewhere, is it that bad,
> iff they are using a key protected by a passphrase?

I am hedging ever so slightly...   I would not be putting my gpg key on 
a server where other people have access, even with a strong passphrase.

> When someone builds remotely, and you say "done at time of upload", do
> you really copy it back locally before uploading it? Or how is pushing
> off the time of signing going to help here?

Well, copying the package locally needs to be done to test the package 

Anyway, at this stage, I think we just need to get something that 
"works" happening.  The entire process can be adjusted or added to later 
as real world usage dictates.


More information about the arch-dev-public mailing list