[arch-general] Package signing

Aleksis Jauntēvs aleksis.jauntevs at gmail.com
Wed Apr 28 15:32:21 CEST 2010


The idea is to implement package signing for Arch similar to rpm GPG package 
signing. Short description follows.

Use case for developers:
1. Dev bulds package with f.e. "-sign" switch.
2. Dev enters passphrase.
3. makepkg builds the package and creates detached signature (now we 
have 2 files *.tar.xz and *.sig).
4. The two files togeather are distributed to the repos as package with 

Package installation:
Pacman additionally downloads the signature the signature file and verifies 
the package. 

1. Where to store the package signature file? 
It is more convenient and logical to keep the package as a single file. Rpm 
packages uses binary format and the signatures are stored inside.
2. GPG key sharing. 
Rpm-like distros like fedora and RHL use a single key for signing all their 
stable packages, but I think their build system is centralised. Is it safe to 
share one key among all package developers?

1. Add package verification suport in lipalpm (using gpgme or gpg executable 
as rpm does).
2. Add package signing in makepkg script
3. Patch pacman, add option to turn the package signing ON or Off.
4. Add support for signed package distribution if needed (see Problems #1)
5. Include Arch public pgp key in /etc/pacman.d/..(??)

Discussion about this and also other ways for package signing(md5,..) are 


More information about the arch-general mailing list