[pacman-dev] New patchset for package signing

[Denis A. Altoé Falqueto]

So, I changed the code to use gpgme. Here are the patches for your evaluation.

By the way, I'm not {angry,upset,crying} :) I really want to see package signing
in pacman, but I know that this is a complex issue that will need lots of discussion.

Below, follows a little explanation of the general idea of each patch.

[PATCH 1/5] pacman-key: keyring management tool

The script that helps with management for pacman keyring. It uses gpg, instead of
gpg2 and is heavly inpired on apt-key, from debian. It is very straightforward.

[PATCH 2/5] Signature verification functions

Two functions: one for signatures in memory and another for signatures in files.
Signatures of packages are stored in the repository and are copied to memory
before verification. The signatures of database files are stored on files,
hence the new function.

[PATCH 3/5] Verify the signatures of databases and packages

The calls for the signature functions. Verification of database updates
and package instalations from the repositories.

I didn't worry about local instalations, but it doesn't mean they are
not there. If it were verified before (as Dan suggests), they are there. :)

A point raised by Dan was that the reading of the signature from the
repository was too complex. The reaasoning behind it is that signatures
grow according to the size of the key used to sign. So, we can't be
never sure if some buffer size is really enough. Maybe it is enough
now, but in the future it may be not and we'll have a new bug in
the bugtracker. My implementation is simple and robust, so it will
work with any signature size.

[PATCH 4/5] Parameter to select key to sign

Just a new parameter to allow the packager to select the key he wants to use.
if the key is not specified, his default key will be used.

[PATCH 5/5] Document new options related to package signing

Just documentation. No imporant comment.

As always, comments and suggestions are welcome.

--
Denis A. Altoé Falqueto