[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman

Geoffroy Carrier geoffroy.carrier at koon.fr
Mon Jun 2 19:46:11 EDT 2008


Excerpts from Geoffroy Carrier's message of Tue Jun 03 01:25:31 +0200 2008:
> Keyring in pacman.conf, --keyring in pacman,
> support for this option in libalpm and pacman.

Now that I have a keyring, I'd like to start using it :)

Three options here:
 - Include tons of code from gpg in pacman :)
   Of course not the good move...
 - Use gpgme
   This library will rely on gnupg. Not the good move IMHO.
 - use popen/fork and exec*
   That's basically git's behaviour.
   We might wanna know gnupg's path somehow ;)
   Do we want to rely on the shell or use another XferCommand-like to
   get it? I'd rather use the first solution.
   Anyway, it's pretty easy to check the signature then: Just send the
   binary key to gpg --keyring $keyringfile --no-default-keyring \
                     --verify - $pkgfilename
   and except it to return 0.

We have to think about the default interaction.
It would be easy to sign all packages as the first step, so excepting
signed packages for the first pacman release including GPG support seems
fair to me. I think asking confirmation from the user in case packages
are not signed, like apt tools do.

BTW, thanks toofishes for base64's support. Please contact me on XMPP
so that we can share stuff between our repos. My "not-so-experimental,
at least things compile" branch is available on
http://github.com/gcarrier/pacman/commits/pacgpg
but I might not update it on a regular basis.

-- 
Geoffroy Carrier
http://gcarrier.koon.fr/




More information about the pacman-dev mailing list