[arch-general] Is it secure to just sign repository databases?

brent s. bts at square-r00t.net
Sun Jun 16 14:44:44 UTC 2019

On 6/16/19 5:03 AM, Manuel Reimer wrote:
> Hello,
> I run a repository locally that I would like to share to the public.
> The build is mostly automated. That's why I don't want to sign each
> individual package. The private key is not stored on the build machine
> and I want to sign the resulting stuff externally.
> The easiest way would be actually to just manually sign the database
> file. As this file includes all checksums of the individual packages, I
> think this is as secure as signing every package, right?
> Thanks in advance
> Manuel

theoretically, your thought process is sound. unfortunately, pacman
doesn't verify like this (to my knowledge; someone feel free to correct me).

but there's nothing necessitating you sign the package on the build
machine, technically. you could fetch the repo DB, grab the checksums
inside (i believe they contain a metadata tree and .PKGINFO; been a
while since i explored the format), fetch the package itself into
memory, and if the checksum matches, you can create a detached signature
from that item in memory, then upload that signature. (i think? you
might meed to regen the repo.db; not sure if it tracks sigs.)
there is, of course, the trouble of not being able to cryptographically
verify the integrity of the checksums inside the repo DB (since the
packages are being fetches from a remote source and *technically*
possibly could have been tampered along with the repo DB). this is why
signing is done at build time - it at least removes that vector
(notwithstanding local tampering, but that's time-sensitive and a
dedicated build box separate from a repo server is a lot more resistant).

i can create a python PoC of this if that'd be easier to understand of
the "remote signing".

BUT. TL;DR "pacman doesn't work like that" and it's generally safer
practice to build and sign (and build a repo db) on a different box,
then push to the repo server.

brent saner
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190616/67748176/attachment.sig>

More information about the arch-general mailing list