[arch-general] Is it secure to just sign repository databases?

[Manuel Reimer]

On 17.06.19 18:18, Eli Schwartz via arch-general wrote:
> That being said, it's possible to configure sudo to run makechrootpkg,
> but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=...
> makechrootpkg.

I've tried several times to just launch makechrootpkg with root 
privileges directly. As makechrootpkg drops to a unprivileged user 
inside the chroot, this should be perfectly safe.

But I always ran into errors saying that makepkg is not allowed to be 
run as root.

Does your SUDO_USER=... SUDO_UID=... command line allow to directly 
launch as root without needing sudo at all? This is what I would need to 
make my autobuild work.

> Yes -- do all signing locally, after the package leaves the build VM. If
> something goes wrong on the VM, you can remove the relevant packages
> without, say, revoking your key, so the security issue is less drastic.

This would also be a possible way. Sign packages where the signature is 
outdated, delete signatures that don't belong to packages and finally 
repo-add the whole stuff after deleting the db file.

Is there a better tool as repo-add/repo-remove? I've been searching for 
some "repo-update" tool for quite a while now. A smart tool which 
doesn't recreate stuff and just updates a DB file would be pretty handy.

Manuel