[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases

Pierre Schmitz pierre at archlinux.de
Sun Nov 3 03:50:48 EST 2013


Am 03.11.2013 02:32, schrieb Allan McRae:
> On 03/11/13 11:19, Allan McRae wrote:
>> Add function to sign repo database.  Enabling signing requires setting
>> SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
>> from signing package files.
>>
>> Signed-off-by: Allan McRae <allan at archlinux.org>
>> ---
> 
> GPG does not have a concept of some keys being valid for some tasks.
> So pacman can not have this concept without implementing a complete hack
> or requiring two separate keyrings (one for databases and one for
> packages).  Both of these are not going to happen, so we need to deal
> with restricting key usage in dbscripts.
> 
> The idea here is that someone creates a repo signing key and all master
> keys sign it.  Then a subkey is created and put on nymeria.  If we have
> issues, the subkey is revoked and a new subkey is created.
> 
> Note that the patch assumes the db key will be added to nymeria's pacman
> keyring which is located in the default location.
> 
> Allan

I don't see how this could work. If you sign a package using that key
pacman will happily accept it as valid. So if nymeria gets compromised
the attacker obtains a valid packager key. Imho implementing db sigs
this way is less secure than not implementing it at all.

Greetings,

Pierre

-- 
Pierre Schmitz, https://pierre-schmitz.com


More information about the arch-projects mailing list