[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman

[Dan McGee]

On Mon, Jun 2, 2008 at 6:46 PM, Geoffroy Carrier
<geoffroy.carrier at koon.fr> wrote:
> Excerpts from Geoffroy Carrier's message of Tue Jun 03 01:25:31 +0200 2008:
>> Keyring in pacman.conf, --keyring in pacman,
>> support for this option in libalpm and pacman.
>
> Now that I have a keyring, I'd like to start using it :)
>
> Three options here:
>  - Include tons of code from gpg in pacman :)
>   Of course not the good move...
>  - Use gpgme
>   This library will rely on gnupg. Not the good move IMHO.
>  - use popen/fork and exec*
>   That's basically git's behaviour.
>   We might wanna know gnupg's path somehow ;)
>   Do we want to rely on the shell or use another XferCommand-like to
>   get it? I'd rather use the first solution.
>   Anyway, it's pretty easy to check the signature then: Just send the
>   binary key to gpg --keyring $keyringfile --no-default-keyring \
>                     --verify - $pkgfilename
>   and except it to return 0.
>
> We have to think about the default interaction.
> It would be easy to sign all packages as the first step, so excepting
> signed packages for the first pacman release including GPG support seems
> fair to me. I think asking confirmation from the user in case packages
> are not signed, like apt tools do.
>
> BTW, thanks toofishes for base64's support. Please contact me on XMPP
> so that we can share stuff between our repos. My "not-so-experimental,
> at least things compile" branch is available on
> http://github.com/gcarrier/pacman/commits/pacgpg
> but I might not update it on a regular basis.

FYI for you (Geoffroy) and everyone- I just pushed my gpg branch to
toofishes.net, so it is now available there for fetching. This is a
combination of Geoffroy and I's patches to try to get GPG support into
our tools (makepkg, repo-add, and eventually libalpm/pacman). Please
let me know if you see any issues with this branch.

-Dan