[arch-general] Package signing

Allan McRae allan at archlinux.org
Thu Apr 29 17:40:49 CEST 2010

On 30/04/10 01:29, Thomas Bächler wrote:
> Am 29.04.2010 00:36, schrieb Linas:
>> Thomas Bächler wrote:
>>> We must have a system that allows pacman to automatically verify new
>>> developer keys and revoke old ones ... even more important, revoke them
>>> in a way that signatures made before a certain date are still accepted,
>>> but newer ones aren't.
>>> I don't see this easily being implemented with PGP-Keys, but maybe
>>> someone else knows more.
>> You can't trust a package made with a compromised key just because it
>> looks old. That can be falsified.
>> Packages not affected should be resigned by another developer / the new
>> developers key.
>> I would still recompile them, though (withouth necessarily increasing
>> the pkgrel).
> You are right, if the key has been compromised, you can easily include a
> fake date. So upon revoking a key, all packages have to be re-signed.
> This shows again that this is not a topic you can just solve by throwing
> some code at people. It needs a proper chain of trust and concepts to
> cover all cases - otherwise, it might be possible to compromise the
> system, giving users a false sense of security.

Has anyone had a good look at the other implementations of package 
signing (Debian, Fedora, ...) and made a summary of how they handle it?

More information about the arch-general mailing list