[arch-general] Package signing

Daenyth Blank daenyth+arch at gmail.com
Wed Apr 28 19:27:49 CEST 2010

On Wed, Apr 28, 2010 at 13:18, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> I'm thinking about a two way signing process. The dev signs the
> package and send it to the server. The server would have a script or a
> cron job to verify if the signature is valid and is from someone
> trusted [1]. If so, the original signature is discarded and a new one
> is made, with an official Arch key.

This is pretty sensible, but I think that the second step would
preclude having a passphrase on the key, as it would have to be called
from a script. Another way to do it might be to have the upload
verified by sender key and then have the uploader sign the repo db
(during the db-update step probably?). We'd have to have a keyring,
but with this method even if the server is compromised the db is safe
from tampering, since the keyring is signed by the highest-trust key
(phrak, presumably), and that lists the keys which are allowed to sign
the repo itself, so there's no way to insert untrusted keys into the
keyring or repo. Perhaps the keyring package could require
double-signing to also prevent an attack where phrak gets hacked again
and loses his key :)

More information about the arch-general mailing list