[arch-general] Is it secure to just sign repository databases?

Manuel Reimer Manuel.Spam at nurfuerspam.de
Sun Jun 16 09:03:48 UTC 2019


I run a repository locally that I would like to share to the public.

The build is mostly automated. That's why I don't want to sign each 
individual package. The private key is not stored on the build machine 
and I want to sign the resulting stuff externally.

The easiest way would be actually to just manually sign the database 
file. As this file includes all checksums of the individual packages, I 
think this is as secure as signing every package, right?

Thanks in advance


More information about the arch-general mailing list