[arch-dev-public] Keyring package for real
Pierre Schmitz
pierre at archlinux.de
Sun Feb 19 11:18:51 EST 2012
Hello,
I'd like to push the creation of our keyring package. This package will
contain all gpg keys needed to verify our packages. First of all: if
you
disagree with everything I did: don't worry; I am fine if we end up
with
an entirely different solution but this should be a good start.
After talking to others I would sum up the design goals as:
* clear and transparent process; for the maintainer and users
* complete and verifiable history of changes
* has to work without any internet connection
* no magic, no binary blobs; keep it as simple as possible
As a result I created a git repo which is meant to store all
packager and master keys:
https://projects.archlinux.org/archlinux-keyring.git/ The advantage
over
putting these files directly into svn is that we could use a cleaner
layout with subdirs, sign tags and verify the source. The result is a
(signed) tarball which can be used in the actual package which would
contain additional logic. The keyids are exported from archweb. I
didn't
distinguish between developers and trusted users as pacman itself does
not know about this difference either. It also makes maintenance easier
when people move between these groups or are active in both of them.
A package prototype can be found at
https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/archlinux-keyring
It is not in any repo yet but I hope to put something into [testing]
after a brief discussion. All this package does is installing/updating
all master and packager keys and add them to the pacman keyring.
Note that this does not set any trust level which is needed to actually
verify packages. The user has to trust (lsign) each of the master keys
to establish this. This is some kind of bootstrapping problem. Future
versions of our installer should take care of and do this
automatically during install.
To make live easier for our current users we could add a simple helper
script which displays the master keys and lsigns them after
confirmation. The best way to do this is to use gpg --import-ownertrust
which takes a simple text file of the format "<keyid>:<trustlevel>". I
wouldn't want to use a binary file here. It is important that users
always know what is going on.
To sum things up: The keyring package would install all needed keys and
contain a simple helper script to verify and trust the master keys. A
news item would then describe how to use this helper but also show
several
ways to verify the authenticity of the master keys.
Greetings,
Pierre
--
Pierre Schmitz, http://pierre-schmitz.com
More information about the arch-dev-public
mailing list