[arch-general] Package signing
Aleksis Jauntēvs
aleksis.jauntevs at gmail.com
Wed Apr 28 15:32:21 CEST 2010
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package
signing. Short description follows.
Use case for developers:
1. Dev bulds package with f.e. "-sign" switch.
2. Dev enters passphrase.
3. makepkg builds the package and creates detached signature (now we
have 2 files *.tar.xz and *.sig).
4. The two files togeather are distributed to the repos as package with
signature.
Package installation:
Pacman additionally downloads the signature the signature file and verifies
the package.
Problems:
1. Where to store the package signature file?
It is more convenient and logical to keep the package as a single file. Rpm
packages uses binary format and the signatures are stored inside.
2. GPG key sharing.
Rpm-like distros like fedora and RHL use a single key for signing all their
stable packages, but I think their build system is centralised. Is it safe to
share one key among all package developers?
3..
Implementation:
1. Add package verification suport in lipalpm (using gpgme or gpg executable
as rpm does).
2. Add package signing in makepkg script
3. Patch pacman, add option to turn the package signing ON or Off.
4. Add support for signed package distribution if needed (see Problems #1)
5. Include Arch public pgp key in /etc/pacman.d/..(??)
Discussion about this and also other ways for package signing(md5,..) are
welcome!
--
Alekss
More information about the arch-general
mailing list