[arch-general] Is it secure to just sign repository databases?

[Manuel Reimer]

On 16.06.19 17:57, Eli Schwartz via arch-general wrote:
> As a matter of fact, if you use clean chroot builds
> then you possibly don't want to copy your private key to the chroot, and
> anyway there have IIRC been bugs with signing in a chroot, so the
> devtools scripts do not do signing in the chroot and the official upload
> scripts for core/extra/community will do gpg --detach--sign --no-armor
> by hand, so you are in good company!

I don't do builds in "chroot" environment. TBH I never managed to get 
this to build completely automatic. The problem is that the existing 
scripts start off in a unprivileged context and then require me to enter 
the root password when entering the chroot.

My own concept does it the other way around. Main script runs as root 
and it forks off unprivileged processes to do the build. After building 
this forked process exits and the "root-privileged" host process takes 
over again to prepare for the next package build. This includes required 
dependency installs.

https://github.com/M-Reimer/repo-make

All this runs on a dedicated "Build VM" on Oracle Virtual Box.

Yes, I get "clean" builds with this, as between every build step, all 
unneeded dependency packages are uninstalled.

Maybe there are other fully automatic systems out there, but my script 
served me well, so far.

I was just wondering if there is any way to not have to have the private 
key on this build VM at all. But I guess if something goes wrong on this 
VM, then security is gone anyway.

But thanks for the information about how the signing works. I think I'll 
move this out of the "unprivileged build process" and do the signing in 
the root-privileged main process. This way the dedicated build user of 
this build VM does not have access to the private key.

Manuel