[arch-general] Package signing

Thomas Bächler thomas at archlinux.org
Thu Apr 29 00:09:34 CEST 2010

Am 28.04.2010 19:18, schrieb Denis A. Altoé Falqueto:
> I was thinking about this problem for sometime and the more complex
> part is the key distribution and trusting. Now I maybe came to
> something usefull.

Finally, someone realizes that. The distrubution and trusting of keys is
in fact the most difficult problem we are faced with.

> I'm thinking about a two way signing process. The dev signs the
> package and send it to the server. The server would have a script or a
> cron job to verify if the signature is valid and is from someone
> trusted [1]. If so, the original signature is discarded and a new one
> is made, with an official Arch key.

Unacceptable. Servers get compromised way too easily (it happened in the
past, and it may happen again). We'd have to store the key without a
passphrase on that server for this to work. I'll never support such an

We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date are still accepted,
but newer ones aren't.
I don't see this easily being implemented with PGP-Keys, but maybe
someone else knows more.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20100429/1563a664/attachment.bin>

More information about the arch-general mailing list