[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases
allan at archlinux.org
Sat Nov 2 21:32:16 EDT 2013
On 03/11/13 11:19, Allan McRae wrote:
> Add function to sign repo database. Enabling signing requires setting
> SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
> from signing package files.
> Signed-off-by: Allan McRae <allan at archlinux.org>
GPG does not have a concept of some keys being valid for some tasks.
So pacman can not have this concept without implementing a complete hack
or requiring two separate keyrings (one for databases and one for
packages). Both of these are not going to happen, so we need to deal
with restricting key usage in dbscripts.
The idea here is that someone creates a repo signing key and all master
keys sign it. Then a subkey is created and put on nymeria. If we have
issues, the subkey is revoked and a new subkey is created.
Note that the patch assumes the db key will be added to nymeria's pacman
keyring which is located in the default location.
More information about the arch-projects