[arch-general] Is it secure to just sign repository databases?
Manuel.Spam at nurfuerspam.de
Mon Jun 17 15:11:47 UTC 2019
On 16.06.19 17:57, Eli Schwartz via arch-general wrote:
> As a matter of fact, if you use clean chroot builds
> then you possibly don't want to copy your private key to the chroot, and
> anyway there have IIRC been bugs with signing in a chroot, so the
> devtools scripts do not do signing in the chroot and the official upload
> scripts for core/extra/community will do gpg --detach--sign --no-armor
> by hand, so you are in good company!
I don't do builds in "chroot" environment. TBH I never managed to get
this to build completely automatic. The problem is that the existing
scripts start off in a unprivileged context and then require me to enter
the root password when entering the chroot.
My own concept does it the other way around. Main script runs as root
and it forks off unprivileged processes to do the build. After building
this forked process exits and the "root-privileged" host process takes
over again to prepare for the next package build. This includes required
All this runs on a dedicated "Build VM" on Oracle Virtual Box.
Yes, I get "clean" builds with this, as between every build step, all
unneeded dependency packages are uninstalled.
Maybe there are other fully automatic systems out there, but my script
served me well, so far.
I was just wondering if there is any way to not have to have the private
key on this build VM at all. But I guess if something goes wrong on this
VM, then security is gone anyway.
But thanks for the information about how the signing works. I think I'll
move this out of the "unprivileged build process" and do the signing in
the root-privileged main process. This way the dedicated build user of
this build VM does not have access to the private key.
More information about the arch-general