[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures

Dan McGee dpmcgee at gmail.com
Wed Mar 16 21:48:23 EDT 2011


On Wed, Mar 16, 2011 at 8:31 PM, Allan McRae <allan at archlinux.org> wrote:
> On 17/03/11 11:14, Dan McGee wrote:
>>
>> On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan at archlinux.org>  wrote:
>>>
>>> On 13/03/11 13:24, Allan McRae wrote:
>>>>
>>>> I'd like comments on where the signature should be generated.  I was
>>>> thinking at the end of makechrootpkg, but before upload could also
>>>> work.
>>
>>>>  Note that the future makepkg implementation for automatic signing
>>>> is probably not appropriate for use as that would require gpg and a
>>>> keyring in the chroot.
>>
>> Is this a bad thing? Does it drag in a lot of deps?
>
> Not a lot of deps given pacman will pull them in eventually for gpg support.
>  It is more having to set-up your keyring in every chroot that I was
> concerned about.

I feel like this is something that can be done in makechrootpkg
without too much hassle, no? Just a cp into the chroot.

>>> More thinking about this...   the package signing probably can not be too
>>> linked to building (i.e. not in makechrootpkg) as that might be on an
>>> external build server (which should not have private keys on it).  So I
>>> guess that it should be done at the time of upload.
>>
>> "probably can not be too linked" - someone is hedging their words. :)
>>
>> I agree that it shouldn't have to be linked, but making it easy to
>> generate as part of the build process is something that we shouldn't
>> forget. However, in the case of building it elsewhere, is it that bad,
>> iff they are using a key protected by a passphrase?
>
> I am hedging ever so slightly...   I would not be putting my gpg key on a
> server where other people have access, even with a strong passphrase.

OK. Let's operate on this assumption then and find a solution that works for it.

>> When someone builds remotely, and you say "done at time of upload", do
>> you really copy it back locally before uploading it? Or how is pushing
>> off the time of signing going to help here?
>
> Well, copying the package locally needs to be done to test the package
> anyway...

Oh yeah....testing. Who does that? For something like xxx-data, I feel
like this has the possibility of getting unweildy, although I see now
good way around this.

> Anyway, at this stage, I think we just need to get something that "works"
> happening.  The entire process can be adjusted or added to later as real
> world usage dictates.

Agreed.

We might want to take a look at this:
http://packages.debian.org/lenny/devscripts
Notably: cowpoke, debsign and see how they do things.

-Dan


More information about the arch-dev-public mailing list