[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman
Dan McGee
dpmcgee at gmail.com
Tue Jun 3 01:27:18 EDT 2008
On Mon, Jun 2, 2008 at 6:46 PM, Geoffroy Carrier
<geoffroy.carrier at koon.fr> wrote:
> Excerpts from Geoffroy Carrier's message of Tue Jun 03 01:25:31 +0200 2008:
>> Keyring in pacman.conf, --keyring in pacman,
>> support for this option in libalpm and pacman.
>
> Now that I have a keyring, I'd like to start using it :)
>
> Three options here:
> - Include tons of code from gpg in pacman :)
> Of course not the good move...
> - Use gpgme
> This library will rely on gnupg. Not the good move IMHO.
> - use popen/fork and exec*
> That's basically git's behaviour.
> We might wanna know gnupg's path somehow ;)
> Do we want to rely on the shell or use another XferCommand-like to
> get it? I'd rather use the first solution.
> Anyway, it's pretty easy to check the signature then: Just send the
> binary key to gpg --keyring $keyringfile --no-default-keyring \
> --verify - $pkgfilename
> and except it to return 0.
>
> We have to think about the default interaction.
> It would be easy to sign all packages as the first step, so excepting
> signed packages for the first pacman release including GPG support seems
> fair to me. I think asking confirmation from the user in case packages
> are not signed, like apt tools do.
>
> BTW, thanks toofishes for base64's support. Please contact me on XMPP
> so that we can share stuff between our repos. My "not-so-experimental,
> at least things compile" branch is available on
> http://github.com/gcarrier/pacman/commits/pacgpg
> but I might not update it on a regular basis.
FYI for you (Geoffroy) and everyone- I just pushed my gpg branch to
toofishes.net, so it is now available there for fetching. This is a
combination of Geoffroy and I's patches to try to get GPG support into
our tools (makepkg, repo-add, and eventually libalpm/pacman). Please
let me know if you see any issues with this branch.
-Dan
More information about the pacman-dev
mailing list