[pacman-dev] Package signing again....
Thomas Bächler
thomas at archlinux.org
Wed Jul 1 17:43:03 EDT 2009
Aaron Griffin schrieb:
> I don't know if anyone really has a clear idea of how this should
> work. So it's difficult to give a "high level" design here.
>
>> >From my point of view:
> * Should be optional, possibly per repo (so we can use signed packages
> from core and extra, and unsigned packages from mycustomrepo)
> * Needs to get keys from some keychain somehow
> * Should be rather transparent once turned on
First of all, I wouldn't use GPG like was suggested in the past, but
some real certificates (openssl or gnutls can do this). First we create
an Arch Linux certificate authority. Then we generate certificates for
all developers and trusted users. Now this is what's going to happen on
the pacman end:
Pacman has a list of trusted certificates. This would only have to
include the Arch Linux CA certificate and certificates for all community
repositories that are used on the machine in question. Other
certificates can automatically be downloaded and verified. When
installing a package with -S, during the "checking integrity" stage,
pacman checks for a file "signature" in the db.tar.gz that contains a
signature. If it is valid, the installation continues, otherwise aborts.
If there is no "signature" file, pacman prints a warning (or aborts,
depending on its configuration).
Now all that has to be done is generate the signature when running
makepkg, upload it with devtools and make repo-add support adding the
signature file.
This is not at as complicated as you put it :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://www.archlinux.org/pipermail/pacman-dev/attachments/20090701/242994ee/attachment.pgp>
More information about the pacman-dev
mailing list