[arch-general] Package signing

Thomas Bächler thomas at archlinux.org
Thu Apr 29 17:29:21 CEST 2010


Am 29.04.2010 00:36, schrieb Linas:
> Thomas Bächler wrote:
>> We must have a system that allows pacman to automatically verify new
>> developer keys and revoke old ones ... even more important, revoke them
>> in a way that signatures made before a certain date are still accepted,
>> but newer ones aren't.
>> I don't see this easily being implemented with PGP-Keys, but maybe
>> someone else knows more.
>>   
> 
> You can't trust a package made with a compromised key just because it
> looks old. That can be falsified.
> Packages not affected should be resigned by another developer / the new
> developers key.
> I would still recompile them, though (withouth necessarily increasing
> the pkgrel).

You are right, if the key has been compromised, you can easily include a
fake date. So upon revoking a key, all packages have to be re-signed.

This shows again that this is not a topic you can just solve by throwing
some code at people. It needs a proper chain of trust and concepts to
cover all cases - otherwise, it might be possible to compromise the
system, giving users a false sense of security.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20100429/d932029d/attachment.bin>


More information about the arch-general mailing list