[arch-general] Package signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Wed Apr 28 19:18:02 CEST 2010

On Wed, Apr 28, 2010 at 10:39 AM, Allan McRae <allan at archlinux.org> wrote:
> On 28/04/10 23:32, Aleksis Jauntēvs wrote:
>> Hello,
>> The idea is to implement package signing for Arch similar to rpm GPG
>> package
>> signing.
> Good to see someone interested in this.  I suggest you join the pacman-dev
> list where all discussion about pacman development occurs.
> There is also some code floating around that has started to implement this.
> This is my gpg branch containing those patches -
> http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg .

Hi, Allan and Aleksis.

I was thinking about this problem for sometime and the more complex
part is the key distribution and trusting. Now I maybe came to
something usefull.

I'm thinking about a two way signing process. The dev signs the
package and send it to the server. The server would have a script or a
cron job to verify if the signature is valid and is from someone
trusted [1]. If so, the original signature is discarded and a new one
is made, with an official Arch key.

So the problem of distributing keys is solved. We just need to
distribute and trust the official public key of Arch. If some new
developer comes to the team, its digital fingerprint is added to the
list of trusted devs. If someone is removed, its fingerprint is
removed. The users will trust in anything the server has signed,
because the physical access to the private key is kept safe (so we
hope :)). If some developer loses the confidence in his key, he can
generate another and send the fingerprint to the admin, so it can be
added toe the trusted list.

I am willing to help with any efforts in this area. I'm already
subscribed in pacman-dev and if this discussion pops up there, count
me on.

[1] - there should be a list of fingerprints of trusted devs, only
writeable by a few admins.

A: Because it obfuscates the reading.
Q: Why is top posting so bad?

Denis A. Altoe Falqueto

More information about the arch-general mailing list